Text Example

C99 Webshell Backdoor SpYshell v.KingDefacer Traffic Analysis PCAP file download screenshots

Download Attachments

  • 1 pcap c99
    Date added: January 20, 2017 10:24 am Added by: admin File size: 206 KB Downloads: 180

The C99 webshell usage, PCAP and screenshots of what it looks like, this has been one of the most commonly used webshells over the years.

2017-01-20 03:22:24.448614 IP 192.168.1.102.54057 > 192.168.1.100.55555: Flags [P.], seq 1:404, ack 1, win 2053, length 403
E…..@…Z|…f…d.)…..#.A..P…;…GET /c99.php?c99shcook[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:24.448633 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [.], ack 404, win 237, length 0
E..(/.@.@……d…f…).A….  .P….5..
2017-01-20 03:22:24.449057 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [P.], seq 1:327, ack 404, win 237, length 326
E..n/.@.@……d…f…).A….  .P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:24 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”SpYshell v.KingDefacer
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:31.946998 IP 192.168.1.102.54059 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…Zr…f…d.+….:[.~..P…g=..GET /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.947013 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [.], ack 400, win 237, length 0
E..(.@@.@..u…d…f…+.~….;.P….5..
2017-01-20 03:22:31.952320 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [P.], seq 1:5601, ack 400, win 237, length 5600
E….A@.@……d…f…+.~….;.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
Zamani: Mon, 12 May 2005 03:00:00 GMT
Son Modifiye: Fri, 20 Jan 2017 08:22:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pratik: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 5151
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 03:22:31.983921 IP 192.168.1.102.54062 > 192.168.1.100.55555: Flags [P.], seq 1:384, ack 1, win 2053, length 383
E…..@…Zq…f…d…..s/p…@P….[..GET /c99.php?act=img&img=up HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: image/webp,image/*,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.983929 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [.], ack 384, win 237, length 0
E..(&.@.@……d…f…….@.s0.P….5..
2017-01-20 03:22:31.984218 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [P.], seq 1:327, ack 384, win 237, length 326
E..n&.@.@..z…d…f…….@.s0.P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:56.211184 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [P.], seq 1:624, ack 1, win 2053, length 623
E…..@…X….f…d.b……..E<P…x=..POST /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 39127
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryLoRtloEXoMSV9bhy
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:56.211200 IP 192.168.1.100.55555 > 192.168.1.102.54114: Flags [.], ack 624, win 238, length 0
E..(.`@.@..T…d…f…b..E<…7P….5..
2017-01-20 03:22:56.211450 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [.], seq 624:5004, ack 1, win 2053, length 4380
E..D..@…I….f…d.b…..7..E<P….Q..——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”act”

upload
——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”uploadfile”; filename=”logo.png”
Content-Type: image/png

.PNG

Leave a Reply