Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 8 Aug 2022 08:18:05 +0200
From: p+password@...atpro.net
To: john-users@...ts.openwall.com
Subject: extract password/hash from a piece of php malware

Hello,

My question is not totally related to JtR. I've found a PHP webshell on a web site and I'm trying to de-obfuscate it and learn how it works on the attacker side.  For reference, the file is https://www.virustotal.com/gui/file/312ee17ec9bed4278579443b805c0eb75283f54483d12f9add7d7d9e5f9f6105
It's highly obfuscated and the only thing I've managed to do is access its GUI over a simple php web server (php -S localhost:8000, then curl). It's a JS generated web page all blank except for a single password field in the middle.
I'm pretty sure the password is hardcoded in the webshell file but I have absolutely no clue where it is and how to retrieve it. 

Any idea?
Thanks,
patpro

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.