Skip to content

Latest commit

 

History

History

5.8.54.6-2019-10-08a

README.md

Well-coded re-mailer

A strangely well-coded email forwarder.

Origin

The attackers thought they were downloading a file named "sandsmark98.php" to an instance of a WSO web shell. The download request came with all the HTTP parameters used by WSO instances, complete with sterotypical values.

Parameter name Parameter value
pass nhzgrf
a FilesMan
c /var/www/html/
p1 uploadFile
charset Windows-1251

"uploadFile" is a sub-task of the "FilesMan" action in WSO. The request arrived with a password, "nhzgrf" which is very typical of WSO installations.

IP Address 5.8.54.6

inetnum:        5.8.48.0 - 5.8.55.255
netname:        PIN-DATACENTER-NET
country:        RU
organisation:   ORG-PINl1-RIPE
org-name:       Petersburg Internet Network ltd.
org-type:       LIR
address:        Babushkina st. 3, office 215.
address:        192029
address:        Saint-Petersburg
address:        RUSSIAN FEDERATION
route:          5.8.54.0/24
descr:          PIN DC
origin:         AS34665

Obfuscation

The downloaded file isn't obfuscated at all. Oddly, virustotal.com found no anti-viruses that could detect it.

Analysis

There's 103 lines of craftsmanlike code in this remailer. The indentation is consistently 4-ASCII-spaces, some "blank" lines consist of blocks of 4 ASCII spaces. This suggests a careful cut-n-paste of the code. Variables are lowercase, names are relevant to the variables' function. Two comments do appear, but one is an empty block, and the other is a line of code that's apparently no longer wanted.

There are 2 functions, EmailText and EmailHtml which do duplicate a lot of code, each of them setting up elaborate SMTP headers in much the same fashion. It includes "Content-type" and content encoding headers, and the EmailHtml function base64-encodes the HTML part of the email. Ultimately, the remailer invokes the PHP mail builtin to do SMTP with whatever SMTP server the compromised host has set up.

The remailer works when invoked by an HTTP POST request, and works with plainly-named HTTP parameters. The value of the POST parameter named "headers" gets passed through the PHP builtin json_decode. json_decode became a builtin with PHP 5.2.0, so this code isn't very backward compatible.