Backdoor.PHP.DEFACER.B

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following folders:

• If request parameter "getTools" is set and directory "/home/{username}/.cpanel" exists
  • /home/{username}/mail/{server name}/smtpfox-{random}
  • /home/{username}/mail/{server name}/smtpfox-{random}/.Archive
  • /home/{username}/mail/{server name}/smtpfox-{random}/.Drafts
  • /home/{username}/mail/{server name}/smtpfox-{random}/.Sent
  • /home/{username}/mail/{server name}/smtpfox-{random}/.spam
  • /home/{username}/mail/{server name}/smtpfox-{random}/.Trash
  • /home/{username}/mail/{server name}/smtpfox-{random}/cur
  • /home/{username}/mail/{server name}/smtpfox-{random}/new
  • /home/{username}/mail/{server name}/smtpfox-{random}/tmp

It drops the following files:

• If request parameter "getTools" is set and directory "/home/{username}/.cpanel" exists
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot-acl-list
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot-uidlist
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot-uidvalidity
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot-uidvalidity.5e196afc
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot.index.log
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot.list.index.log
  • /home/{username}/mail/{server name}/smtpfox-{random}/dovecot.mailbox.log
  • /home/{username}/mail/{server name}/smtpfox-{random}/maildirsize
  • /home/{username}/mail/{server name}/smtpfox-{random}/subscriptions
• If request parameter "getTools" is set and directory "{document root dir}/wp-admin" exists:
  • {Document Root Directory}/wp-admin/php.ini
  • {Document Root Directory}/wp-includes/php.ini
  • {Document Root Directory}/wp-content/php.ini
  • {Document Root Directory}/wp-admin/.htaccess
  • {Document Root Directory}/wp-includes/.htaccess
  • {Document Root Directory}/wp-content/.htaccess
  • {Document Root Directory}/wp-includes/index.php
• Else If directory "{document root dir}/components" exists:
  • {Document Root Directory}/components/php.ini
  • {Document Root Directory}/administrator/php.ini
  • {Document Root Directory}/libraries/php.ini
  • {Document Root Directory}/components/.htaccess
  • {Document Root Directory}/administrator/.htaccess
  • {Document Root Directory}/libraries/.htaccess
• Else:
  • {Document Root Directory}/php.ini

It takes advantage of the following vulnerability/vulnerabilities to elevate privileges:

• “Reset Password for cPanel accounts” feature
  • Through replacing the contact email with an attacker defined email address and resetting the account password

Other System Modifications

This Backdoor modifies the following file(s):

• It rewrites the following cPanel files' email address:
  • /home/{username}/.contactemail
  • /home/{username}/.cpanel/contactinfo
• It appends created SMTP credentials:
  • /home/{username}/etc/{server name}/shadow
  • /home/{username}/etc/shadow

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Replace cPanel email address
• Reset cPanel Password
• Download and drop tools
• Create email account

Download Routine

This Backdoor downloads the file from the following URL and renames the file when stored in the affected system:

• http://{BLOCKED}ousfox.to/files/olux-shell.txt
• http://{BLOCKED}ousfox.to/files/xleet-shell.txt
• http://{BLOCKED}ousfox.to/files/mailer.txt

It saves the files it downloads using the following names:

• If directory "{document root dir}/wp-admin" exists:
  • {Document Root Directory}/wp-admin/{random string}.php
  • {Document Root Directory}/wp-includes/{random string}.php
  • {Document Root Directory}/wp-content/{random string}.php
• Else If directory "{document root dir}/components" exists:
  • {Document Root Directory}/components/{random}.php
  • {Document Root Directory}/administrator/{random}.php
  • {Document Root Directory}/libraries/{random}.php
• Else:
  • {Document Root Directory}/{random string}.php
  • {Document Root Directory}/{random string}.php
  • {Document Root Directory}/{random string}.php

Other Details

This Backdoor requires being hosted on a web server in order to proceed with its intended routine.

NOTES:

This Backdoor does the following:

• It attempts to access folloing URL to login cPanel with created credentials:
  • https://localhost:2087/login/
• It connects to the following URLs to reset cPanel password:
  • https://localhost:2083/resetpass
  • http://localhost:2082/resetpass
• It receives an attacker defined email address passed through request parameter "email"
• It proceeds to download and dropping routine if request parameter "getTools" is set
• It changes cPanel password to "f0x#{random}#x" if request parameter "code" is set
• It changes cPanel email addresses to one of the following depending on the request parameter set:
  • {value of ?email= request parameter}
  • smtpfox-{random}@{server name}