View RSS Feed


Malware Cleanup: Analysis of an Undetectable web-shell code uploaded, RevSlider bug

Rating: 5 votes, 3.20 average.
I started my day with my regular Malware Cleanup activity and came across an interesting backdoor web shell file on the server. The server is not specific to any particular environment, it was one of the regularly updated WordPress package with the plugin RevSlider Plugin ver. 4.1.4 .

I initiated the process to detect the backdoors and web malwares, and got a hit on a malicious .htaccess file which was redirecting hxxp:// as shown below:

I immediately started the mitigation process to remove and clean the malicious .htaccess file and in the process created backup of all files. Upon further investigation and some digging into other files from server, I ended up inspecting all files on the server using the the following method:

find ./ \( -regex '.*\.php$' -o -regex '.*\.inc$' \) -print0 | xargs -0 egrep -il "$shellPaterns" | sort > shellPaterns.txt
and I also incorporated different techniques to detect any possible web shell and back-doors, for more techniques visit here and at last , I got a hit on a web shell code .

The beauty of this shell code is that it was completely undetectable to all the anti-viruses. If we dissect the total code we found that, it was encoded with base64, with reverse compressed format by using the following snippet:

On taking a closer look of it’s modus operandi ,we found that it was decoding entire encrypted web shellcode and in the next line it was sending commands to web-shell function for execution as you can see in the code. This coded webshell was protected by authentication, it was asking password for accessing webshell.

The code was completely encrypted and there was a static password stored in the script to access the webshell. I started analyzing the script and tried to decrypt the web shellcode.

I found following statement suspicious :

It might be snippet which is password to web shell authentication function.

After couple of minutes into my research I finally found that this is the only function which is responsible for the authentication and I wrote following code to decrypt it :


So here actually the webshell (wso version 2.8) is storing Password in MD5 (73b197105b5366d300bcab1aba35fb9b) , if you just search md5 hash on Google you will find the plain text. You can find php code here

Details for the webshell, check out detection rate and analysis here :
MD5  : dba5a9a19f240a217b04003ac7084bb3
SHA1 : 28b399288497463f290e73bb8fca27be42de6095
SHA256 : 2ed92600c1e2baa9435a87fdf73807084242d0da2016362bcd0804bfa3f285a0
ssdeep 384:g7ECACT88nrR6og+cFz0ezXx0xSIZ3BLbMHMjRmgUR1RYsyOgDsephg4Hn8Wl:gBPokVfeFB7KAIZxf+fesyOks+hgOp
File size 24.7 KB ( 25259 bytes )
The curious question here is that from where did the attacker uploaded the webshell and accessed the entire server?? I started checking all external plugins installations and after digging into the access.log and error.log, got the following findings:

Code: - - [04/Mar/2015:00:44:22 +0530] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 200 3448 "-" "Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0" - - [04/Mar/2015:00:44:23 +0530] "POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1" 404 1417 "-" "Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0" - - [04/Mar/2015:00:44:25 +0530] "GET /wp-content/plugins/wp-symposium/server/php/kcEgkjtkpykvzG.php HTTP/1.1" 404 1417 "-" "Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0"
The spotlight was on RevSlider Plugin ver. 4.1.4, and it was a vulnerable plugin, where the attacker can read the files on the server. The Attacker managed to access the web config file of the wordpress and gained further access. This is how I saved the day and cleaned up malware, web mailers , backdoor and other malicious filefrom the website.

References :



Total Trackbacks 0
Trackback URL: