The other day I was doing some routine updates on a client WordPress site when I noticed something funky in the plugins folder. There were about 20-30 plugins that were all deactivated, all had the same name and description. Turns out they were various Chinese backdoors/trojans. I did some analysis on them to better understand what they were doing and what potential they had. It was pretty fascinating to be honest. I’m not a Security Researcher but I do know a little and I just couldn’t pass up the opportunity to dig into these some. Especially since it was my first time actually seeing them in the wild.
One of the features that a number of them had was a built in Perl reverse shell script to give the attackers remote access. This particular webserver was set up using a regular user. Needless to say, the backdoors didn’t just give access to the webroot for the site but access to the entire home folder for the user including other sites that they had set up as well as SSH keys and various other goodies. Fortunately for him, he was running this server in AWS and appeared to have default firewall rules set up so I couldn’t easily SSH into the machine.
I pulled up the web shell for one of the backdoors (some of them didn’t have passwords, others had passwords included in the comments of the script file) and went through the GUI to start a reverse shell. I caught it on one of my other servers using Netcat, but if you’ve ever done this you know that it’s not very pretty. I was looking for a quick and easy way to “upgrade” the shell for slightly more functionality. This is what I came across.
$ python -c 'import pty; pty.spawn("/bin/bash")'
Quick and dirty but it definitely helps! I found this tip as well as some more advanced methods here.