How to Dissect a Website Attack -page 3


I found that a malicious .php file was uploaded to my website, containing what appears to be an exploit. If we examine the long string of text you can see that the beginning of the string is in hexadecimal format. Hexadecimal characters can represent ASCII text characters so this is probably a way of obfuscating a suspicious command. To discover the hidden command you can manually compare the hex characters against an ASCII character chart or copy and paste the hex characters into a quick script too see if a scripting language will interpret the hex codes for you. In the images below, I first copy the leading hex characters from the malicious line of code and then paste them after a print command in the Python command interpreter. After hitting the enter key you can see that Python interprets the hex codes as text.


The Base16 Hex code at the beginning of the file is obfuscating a hidden text command

A print command in Python is used to reveal the obfuscated string of Hex codes

You can see from the output above that the leading string of hex characters is actually the front half of a eval function which calls nested commands: first decode some base64 code, then extract it because it is probably gzipped compressed file, then execute it by running it in an eval() function. This obfuscated hex code is attempting to execute something in the Base64 code. Now if we write a Python script that will print the leading Hex code, decode and print the Base64 code, and then print the ending Hex code we can see the program behind this long string of encoded characters.

In the malicious PHP file the long string of characters in the ‘preg_replace’ function has Hex
at the beginning and at the end (not pictured) and a long string of Base64 encoding in the middle

Here is an image of the Python script, quickly put together by Steve in the class, that will decode the Base64, and extract the compressed file, and then run the evaluate() function which will execute the malicious string in the .php file:

The beginning and ending of the Python script which decodes
the “preg_replace” string of Hex and Base64 codes from the malicious .php file

We can run this script in the Python command line in order to print to screen the malicious hidden script. You can see on line 1 below that I call the script with the python command followed by the python script file and then piped to more to see the output one screen at a time. You can see that Python has successfully decoded the Hex and the Base64 and returned the hidden program that was on the .php file. Notice the hex code has been translated on line 2 and you can see the eval() function:

Python decode scripts

One of the more interesting parts of this malicious program is near the bottom of the script you can see there is an additional Base64 encoded exploit that the script is going to decode. From the text in the script (see highlighted) we can gather that the embedded exploit is a backdoor to the webhost written in Perl. Notice the text “Bind port to /bin/sh” which is the Bash Shell on the Linux webserver. Notice that the backdoor is a “bind port” to port “31337”. Many people already will know that the port number 31337 was not chosen randomly, it is a substitution cypher or leetspeak for the word”elite.” This lets us know that the programmer considers himself or herself as an elite hacker (see image below).

If you decode the highlighted base64 encoded characters in the image above, you can see that it is indeed a Perl script and that it is creating a bind shell to a provided socket address (ip address and port number), probably to another computer that the hacker controls. The first image below is the Python script that decodes the Perl script. The second image is the Python script run in the Windows command prompt.


*Note: Many thanks to Steven B who helped me with this class and project

<< How to Dissect a Website Attack -Page 2

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published.