I frequent the elearnsecurity student forums, an one of the common questions is about webshells and it ends up with a link to backdoored scripts. Here is my quick analysis of one of them.
I start downloading our target and open it with a text editor, and what I see is immediately suspicious: the code is all packed on one line and what seems to be base64 encoding, scrolling all the way to the end confirms this:
Time to reach for some base64 tool. In this case I used:
http://www.opinionatedgeek.com/dotnet/tools/base64decode/
Clicking on “Decode safely as text” will get us the decoded script. Now I paste this into my text editor for syntax highlighting and skimmed over the code to see if something stood out. First thing I noticed is it seemed that no further obfuscation has been done in this code other than a few blobs of base64 that seem to be some images and a bind shell script in perl. By the end of the file something got my attention; a script tag loading some js code from the site this was downloaded from.
A wget later we get this:
Well, looks like we found what we where looking for! This is loaded when you use the shell. And what it does is create an invisible image that request a script from the malicious domain sending our current url, this means that these guys are getting reported of websites that have been compromised using their shell so they can use it to get access and do whatever they please without any effort. I think I don’t need to tell you how bad this would be if this happens to be a pentesting client.
