1, incident background
Recently, the widely used PHP environment is an integrated package phpStudy announcement suffered a suspected attack the supply chain, the package comes with the PHP module php_xmlrpc.dll hidden back door, the Arnhem Academy of Emergency Response Center and then on the domestic download site offers download of phpStudy installation packet analysis to confirm phpStudy2016, version phpStudy2018 part of the back door, is recommended to use this version of the user security reinforcement immediately.
2, analysis back door
By analysis, the back door code exists in \ ext \ php_xmlrpc.dll module, there are at least two versions:
phpStudy2016 and phpStudy2018 carrying php-5.2.17, php-5.4.45
phpStudy20161103
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
phpStudy20180211
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
Analysis process:
Comparative xmlrpc official website of the source code can be known, the default module xmplrpc several initialization functions are configured to:
The contaminated version of "request_startup_func" function by malicious people to customize:
All requests go through a user-defined function "sub_100031F0",
Further analysis function "sub_100031F0", when the attacker (? Or ordinary user) initiated by an HTTP packet contains "Accept-Encoding" field information, the attacker will enter the custom process:
When the Accept-Encoding field information "compress, gzip", it triggers collect system information, such as where the function "sub_10004380" gather card information:
And it will execute php code memory:
PHP DUMP out further analysis:
Base64 decrypts encrypted string:
By HTTP packet construction tool to test the contract, the successful trigger visit a malicious "360se net [.]" Domain Name:
Analysis, when the information field Accept-Encoding "gzip, deflate", it is then determined whether setting "Accept-Charset" field:
And then determine the specific "Accept-Charset" field is set, the hacker may perform a given php after certain conditions are met in order to achieve the purpose of the control server, concealment is very high.
3, affect versions
Currently testing found the back door, IOC phpStudy2016 and phpStudy2018 version:
0f7ad38e7a9857523dfbce4bce43a9e9
c339482fd2b233fb0a555b629c0ea5d5
360se[.]net
Users can include search php_xmlrpc.dll module "@eval" key to quickly determine whether there is a back door version Command Reference:
findstr /m /s /c:"@eval" *.*
4, mitigation measures
https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip
https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip