Posted on Thursday, 8th October 2009 by Michael
c99 and variant PHP shell detection, quarantine and removal
Every day I review my web server’s visitor stats and logs and the other day I noticed something odd. I saw a URL that was accessed 35 times from the same exact IP and I did not recognize the file as being a part of Word Press or any static page I have uploaded. The file was called Photo13.php. While investigating this file I noticed several files with the time stamp of the night before. These new files were a part of the breach. In total there was three files found. The c99 PHP shell and two other scripts 1 was used to drop webmail.exe on to a visitor’s machine and the other was to email passwords from webmail users to the owner.
Before you all jump on me about Word Press and its security flaws let me assure you I try to make sure to keep the core up to date every time there is an available update. I believe the breach was either on the host side, a weak cPanel password of one of my client sites or the twitter plug-in on the Word Press site. I am personally leading more on the twitter plug-in or the hosts as these sites have been hosted for over two years on another host with the same configurations and there was not an issue until recently. Also today there was an important upgrade warning about the twitter plug-in.
This got me thinking how I can be sure to have removed all copies of c99 PHP shell and its variants that the attacker might have installed and how I can take a more active approach in detecting this shell and others. When I copied the c99 PHP shell to my local machine and viewed the code I noticed that it is encoded in base 64 as many of you already know that. When you decode this you get a compressed file it is not until you decompress the file you can see the actual code. If you are interested in decoding this file I suggest using Google to search for “gzinflate base64_decode”. Though it was encrypted I did notice that the coding was the same for several c99 PHP shells that I found on other peoples sites via Google.
With this information I decided I could reliably detect a potentially infected file by running it through three separate string checks. So I wrote the following shell script: To download the code in a .sh file click here (Word Press messes up the formatting.)
#/bin/bash
##################################################################
### c99 and variant shell detection, quarantine and or removal ###
### Created by: Michael LaSalvia on 10/08/09 ###
### Site: http://www.digitaloffensive.com ###
### Not responsible for your use of this script ###
##################################################################
#Variables: if you dont know what you are doing leave these as is
txtInfect=/tmp/php.txt
dirSearch=/var/www/
qInfected=/tmp/infected
ck1=/tmp/c99check1.txt
ck2=/tmp/c99check2.txt
ck3=/tmp/c99check3.txtecho "########################################################"
echo "## Creating needed files and cleaning old check files ##"
echo "## Ignore errors here ##"
echo "########################################################"
mkdir $qInfected
rm -f $ck1 $ck2 $ck3 $txtInfectecho "########################################################"
echo "### STARTING SEARCH FOR c99 and vairants ####"
echo "########################################################"find $dirSearch -name \*.php >> $txtInfect
for c99 in $(cat $txtInfect)
do
if grep "gzinflate" $c99 > /dev/null; then
echo "$c99 is infected **CHECK 1 of 3**"
echo $c99 >> $ck1
for c992 in $(cat $ck1)
do
if grep "'7X1rcxs5kuBnd0T" $c992 > /dev/null; then
echo "$c992 is infected **CHECK 2 of 3**"
echo $c992 >> $ck2
for c993 in $(cat $ck2)
do
if grep "/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/" $c993 > /dev/null; then
echo "$c993 is infected **CHECK 3 of 3**"
echo $c993 >> $ck3
echo -e "##############################################################"
echo -e "## After 3x c99 code has been found in the following files: ##"
cat $ck3.txt
echo -e "##############################################################"
echo -e "##### Press 1: To delete these files **WARNING** #####"
echo -e "##### Press enter: Rename the infected php to .txt #####"
echo -e "##### and move it to $qInfected for review #####"
echo -e "##############################################################"
echo -e "Please enter your choice: "
read yChoice
if [ "$yChoice" == 1 ]
then
for rmInfect in $(cat $ck3)
do
rm -f $rmInfect
echo "** $rmInfect has been removed"
done
else
for mvRname in $(cat $ck3)
do
mv $mvRname $mvRname.txt
mv $mvRname.txt $qInfected
echo "$mvRname has been renamed to $mvRname.txt"
echo $mvRname.txt has been moved to $qInfected
done
fi
fi
done
fi
done
fi
done
rm -f $ck1 $ck2 $ck3 $txtInfect
The shell script is based on my worm detection shell script, which can be found here: http://www.digitaloffensive.com/2009/10/removing-a-mass-web-site-infection/. This script basically searches the “PATH” you provide it for all the files on your system with a .php extension and saves them to a file. The script then checks each file that is the list using three nested “for loops”. The first for loop checks for the string “gzinflate” as that is not a common command in most web scripts. If the string is detected it logs the file and path to another file, if there is no possible infection it will end the script. If the string was found the next for loop will search the possible infected files for the string “'7X1rcxs5kuBnd0T” Once again if the string is found it will copy the file path and name to another file and if nothing is detected it will end the script. The last for loop searches for the string “/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/”. If this string is detected it saves the file path and name to another file. You are then prompted to take action against the script. You will have the option to enter “1” to remove all the infected files that were found or you can just press any other key (enter) and it will rename the file to give it a .txt extension so the attacker cannot execute it, it will also move the file to a quarantined folder in your /tmp directory for your review.
If you have any questions, comments or concerns please feel free to post them or contact me.
Posted in Code | Comments (2)
October 10th, 2010 at 7:59 pm
Thanks very much for that, what a great script! I have received a few c99’s in my upload facility but I’m fairly sure I caught them all. Guess this’ll help me find out for sure..
October 10th, 2010 at 10:11 pm
This is script is good and real accurate since it runs several tests, but remember malware can evolve though the c99 shell is pretty old.