C99 Webshell Backdoor SpYshell v.KingDefacer Traffic Analysis PCAP file download screenshots

The C99 webshell usage, PCAP and screenshots of what it looks like, this has been one of the most commonly used webshells over the years.

2017-01-20 03:22:24.448614 IP 192.168.1.102.54057 > 192.168.1.100.55555: Flags [P.], seq 1:404, ack 1, win 2053, length 403
E…..@…Z|…f…d.)…..#.A..P…;…GET /c99.php?c99shcook[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:24.448633 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [.], ack 404, win 237, length 0
E..(/.@.@……d…f…).A….  .P….5..
2017-01-20 03:22:24.449057 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [P.], seq 1:327, ack 404, win 237, length 326
E..n/.@.@……d…f…).A….  .P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:24 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”SpYshell v.KingDefacer
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:31.946998 IP 192.168.1.102.54059 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…Zr…f…d.+….:[.~..P…g=..GET /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.947013 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [.], ack 400, win 237, length 0
E..(.@@.@..u…d…f…+.~….;.P….5..
2017-01-20 03:22:31.952320 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [P.], seq 1:5601, ack 400, win 237, length 5600
E….A@.@……d…f…+.~….;.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
Zamani: Mon, 12 May 2005 03:00:00 GMT
Son Modifiye: Fri, 20 Jan 2017 08:22:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pratik: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 5151
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 03:22:31.983921 IP 192.168.1.102.54062 > 192.168.1.100.55555: Flags [P.], seq 1:384, ack 1, win 2053, length 383
E…..@…Zq…f…d…..s/p…@P….[..GET /c99.php?act=img&img=up HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: image/webp,image/*,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.983929 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [.], ack 384, win 237, length 0
E..(&.@.@……d…f…….@.s0.P….5..
2017-01-20 03:22:31.984218 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [P.], seq 1:327, ack 384, win 237, length 326
E..n&.@.@..z…d…f…….@.s0.P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:56.211184 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [P.], seq 1:624, ack 1, win 2053, length 623
E…..@…X….f…d.b……..E<P…x=..POST /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 39127
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryLoRtloEXoMSV9bhy
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:56.211200 IP 192.168.1.100.55555 > 192.168.1.102.54114: Flags [.], ack 624, win 238, length 0
E..(.`@.@..T…d…f…b..E<…7P….5..
2017-01-20 03:22:56.211450 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [.], seq 624:5004, ack 1, win 2053, length 4380
E..D..@…I….f…d.b…..7..E<P….Q..——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”act”

upload
——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”uploadfile”; filename=”logo.png”
Content-Type: image/png

.PNG