Native RC4 cryptographic hash used to check any input password, and to decode input.
Unfortunately, the encrypted password appears right in the code:
define('PWD', 'ce5ca673d13b36118d54a7cf13aeb0ca012383bf771e713421b4d1fd841f539a');
That hash appears in: https://github.com/agavrel/42-Piscine_PHP/blob/master/Rush00/install.php It might be possible to get the original password out of that project.
Clever backdoor, can immediately eval PHP source code, or create a randomly-named file, and file it with downloaded bytes. It can also immediately execute a Linux shell command downloaded to it.
185.143.223.209 does not have a DNS A record.
% Information related to '185.143.223.0/24AS57043'
route: 185.143.223.0/24
descr: infotech.ru.net
origin: AS57043
mnt-by: ru-informtech-1-mnt
p0f3 says that IP address runs Windows 7 or 8:
The User agent string agrees on Windows, but also says 185.143.223.209 runs Opera:
185.143.223.209 - - [24/Feb/2018:20:32:45 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 21779 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:46 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:46 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:47 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:48 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:48 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
185.143.223.209 - - [24/Feb/2018:20:32:49 -0700] "POST /wp-content/themes/sketch/404.php HTTP/1.1" 200 31428 "http://stratigery.com/wp-content/themes/sketch/404.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
The accesses happen too fast to have a human piloting a browser. This set of accesses must be automated.
traceroute agress on the Amesterdam physical location:
traceroute to 185.143.223.209 (185.143.223.209), 30 hops max, 60 byte packets
1 129-45-246-162.versonetworks.net (162.246.45.129) 9.070 ms 9.053 ms 14.238 ms
2 10.100.100.1 (10.100.100.1) 14.239 ms 14.229 ms 18.823 ms
3 v231.core1.den1.he.net (216.66.73.25) 23.801 ms 23.772 ms 23.776 ms
4 100ge14-1.core1.mci3.he.net (184.105.64.50) 43.761 ms 43.758 ms 43.751 ms
5 100ge8-1.core2.chi1.he.net (184.105.81.210) 51.192 ms 51.189 ms 51.181 ms
6 100ge16-1.core1.nyc4.he.net (184.105.223.162) 66.102 ms 57.347 ms 57.338 ms
7 100ge11-1.core1.nyc5.he.net (184.105.213.218) 70.965 ms 70.958 ms 70.947 ms
8 100ge8-2.core1.dub1.he.net (184.105.65.246) 130.870 ms 130.831 ms 133.444 ms
9 100ge3-2.core1.man1.he.net (72.52.92.197) 136.205 ms 136.198 ms 136.187 ms
10 100ge16-1.core1.ams1.he.net (184.105.213.65) 153.422 ms 153.416 ms 153.405 ms
11 ams-ix.hostkey.com (80.249.212.7) 150.769 ms 150.726 ms 150.698 ms
12 46.249.38.9 (46.249.38.9) 150.672 ms 141.176 ms 141.136 ms
13 185.143.223.209 (185.143.223.209) 133.227 ms 136.088 ms 138.809 ms
Downloaded to a fake, honey pot WSO ("Web Shell by oRb") web shell.
The attacker used the "FilesMan" action, "uploadFile" sub-action
to try to create and fill a file named 1.php
No decoding or deobfuscating necessary - the attacker downloaded cleartext PHP.
The code collects php://input and decrypts with RC4 algorithm and PWD (password, see above).
It returns a JSON format result string to the invoker.
It has a somewhat weird coding style:
define('ACTION_INSTALL', 1);
define('ACTION_CMD', 2);
define('ACTION_PHP', 3);
appear, but then numerical constants 1,2,3 get used in the code.
Seems to have 3 commands, based on what's in decrypted data.
The code expects the decrypted data to be in JSON format,
with elements named action and data
execSystemCmd- go to extraordinary lengths to execute a Linux shell command passed in thedataelement of the decoded JSON input.execPHPcmd- eval PHP source code passed in thedataelement of the decoded JSON input. Creates a JSON formatted result string withstatusanddataelements. Any output from the eval'ed PHP source code ends up in thedataelement.installBot- creates a list of writeable directories, creates a randomly-chosen-string file in the first writeable directory, then base64-decodes thedataelement of input JSON, and writes it to the file. It ends up returning the path to the file it writes.
Overall, a reasonably functional backdoor. Not particularly stealthy on disk, but the network traffic to and from it wouldn't be that exotic.
URLs ending in /1.php did get invoked after this code got downloaded.
Unfortunately, the URL was such that Apache did not route it to my honey pot.
I do not have any captured bytes to see what people invoke it with.