Jump to content
Sign in to follow this  
GarryOne

Request for Malware Analyzing: Webshells

Recommended Posts

File 1:

http://pastebin.com/vwGQ4ssg

 

File 2:

http://pastebin.com/gyZiwy9N

 

File 3:

http://pastebin.com/7Qc9X0Ry

File 4:

http://www111.zippyshare.com/v/k9wRJtDr/file.html

Primele 3 sunt obfuscated.

Ultimul, este cel mai ciudat. Cand deschideam sursa, cu un editor, imi apareau doar whitespaces, dar cand accesam fisierul in browser, aparea un input de login, care, cel mai probabil, odata completat, era afisat o interfata de web shell. Atunci l-am sters pe loc, de pe server, dar am salvat o copie, insa pe localhost, nu am reusit sa reproduc functionalitatea.
De aceea l-am si uploadat pe un file sharing, si nu am pus codul sursa pe pastebin.

Eu din pacate nu am atata timp ca sa pierd investigand in detaliu problema, dar sunt curios sa aflu informatii in legatura cu asta.

Multumesc.

  • Upvote 1

Share this post


Link to post
Share on other sites

Salut, ultimul fisier e gol, golut 

 xxd -p modal.php
3c3f7068700a202020202020202020202020202020202020202020202020
202020202020202020202020202020202020202020202020202020202020
202020202020202020202020202020202020202020202020202020202020
------------------------------------------------------------
202020202020202020202020202020202020202020202020202020202020
20202020202020202020203f3e

 

Edited by endemic
  • Upvote 1

Share this post


Link to post
Share on other sites

Cel mai probabil in ultimul fisier se inlocuieste ceva, probabil acele spatii, se inlocuiesc cu codul deobfuscat, probabil in memory.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...