Some Baculum code flagged by Yara compromise assessment rule as a Webshell (hidden backdoor)

Summary

Reproducibility	Platform	OS	OS Version	Product Version
always	AMD64	Linux	debian	10

Description

The THOR security scanner looks for signs of a system compromise (by some attacker). It uses among other some sets of Yara rules to make the assessment. The following rule classifies some Baculum source code file as a Webshell (which is a backdoor normally left in a system by an attacker as a foothold to be able to return later).

Finding Details:

 MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
75
FILE:
/usr/src/bacula-gui-13.0.1/baculum/protected/vendor/pradosoft/prado/framework/Web/UI/ActiveControls/TActiveFileUpload.php
EXT:
.php
TYPE:
PHP
SIZE:
17652
MD5:
77dd4db90aa7ac99a40eaeb80d76467a
SHA1:
ea4274a9cadb58cff254e3b9bafa8688ffc78480
SHA256:
63e2304637aa3e850f9eeabe3b1fd5dd3e6d5cbe5eca1404d1bc47b770f311ba
FIRSTBYTES:
3c3f7068700a2f2a2a0a202a2054416374697665 / <?php /** * TActive
CHANGED:
Fri Aug 26 18:47:17.777 2022
MODIFIED:
Fri Aug 5 17:13:35.000 2022
ACCESSED:
Tue Sep 5 14:05:35.786 2023
PERMISSIONS:
-rw-r--r--
OWNER:
pi
GROUP:
pi
REASON_1:
YARA rule WEBSHELL_PHP_Generic / php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1

    <? at 0x0 in
    "<?php\x0a/**\x0a * TActiveFileUpload.php\x0a *\x0a * @author Bra"
    <?php at 0x0 in
    "<?php\x0a/**\x0a * TActiveFileUpload.php\x0a *\x0a * @author Bradle"
    _GET[ at 0x2b46 in
    "\x09if (!$this->getPage()->getIsPostBack() && isset($_GET['TActiveFileUpload_InputId']) && isset($_GET['TAct"
    assert($ at 0x2876 in
    "()->getCache()) {\x0a\x09\x09\x09$v = $cache->get($token);\x0a\x09\x09\x09assert($v != '');\x0a\x09\x09\x09$cache->delete($token); // remove it "
    UPLOAD at 0x2d4a in
    "s in onFileUpload instead\x0a\x09\x09\x09\x09$file->setErrorCode(UPLOAD_ERR_FORM_SIZE);\x0a\x09\x09\x09\x09$params->files[] = $file->toA"
    fileupload at 0xa9c in
    "r, INamingContainer\x0a{\x0a\x09const SCRIPT_PATH = 'activefileupload';\x0a\x0a\x09/**\x0a\x09 * @var THiddenField a flag to tell whic"
    uploaded at 0x3f0 in
    "e treated as the name of the file\x0a * that will be uploaded to the server. The property {@link getHasFile Has"
    assert($ at 0x2876 in
    "()->getCache()) {\x0a\x09\x09\x09$v = $cache->get($token);\x0a\x09\x09\x09assert($v != '');\x0a\x09\x09\x09$cache->delete($token); // remove it "

RULEDATE_1:
2021-01-14
TAGS_1:
GEN, T1033, T1087_002, T1505_003, WEBSHELL
RULENAME_1:
WEBSHELL_PHP_Generic
AUTHOR_1:
Arnim Rupp (https://github.com/ruppde)

 MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
/usr/src/bacula-gui-13.0.1/baculum/protected/API/Modules/BLStat.php
EXT:
.php
TYPE:
PHP
SIZE:
3794
MD5:
80aa1c3463e4dd29979b134e5eec4651
SHA1:
e8803478d208513b67815295fc5cafe74b1c1d70
SHA256:
6aa4f665dd305b2bdd08614d0aa81d34accda6d7f6d8b104915de86cf42ee3bf
FIRSTBYTES:
3c3f7068700a2f2a0a202a20426163756c612852 / <?php /* * Bacula(R
CHANGED:
Fri Aug 26 18:47:18.225 2022
MODIFIED:
Fri Aug 5 17:13:35.000 2022
ACCESSED:
Tue Sep 5 14:05:25.254 2023
PERMISSIONS:
-rw-r--r--
OWNER:
pi
GROUP:
pi
REASON_1:
YARA rule WEBSHELL_PHP_Dynamic_Big / PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
SUBSCORE_1:
50
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1

    <?php at 0x0 in
    "<?php\x0a/*\x0a * Bacula(R) - The Network Backup Solution\x0a * "
    <? at 0x0 in
    "<?php\x0a/*\x0a * Bacula(R) - The Network Backup Solution\x0a"
    $ts[octdec($ at 0xcde in
    "ing Bit\x0a\x09\x09$mode = (key_exists(octdec($t), $ts)) ? $ts[octdec($t)][0] : 'u';\x0a\x09\x09$mode .= (($p & 0x0100) ? 'r' : '-"
    ase6 at 0x3be in
    "Stat extends APIModule {\x0a\x0a\x09/**\x0a\x09 * Decode Bacula base64 encoded LStat value.\x0a\x09 *\x0a\x09 * @param string $lsta"
    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 at 0x472 in
    "*/\x0a\x09public function decode($lstat) {\x0a\x09\x09$base64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';\x0a\x09\x09$lstat = trim($lstat);\x0a\x09\x09$lstat_fields = ex"

RULEDATE_1:
2021-02-07
TAGS_1:
EXE, FILE, T1033, T1087_002, T1505_003, WEBSHELL
RULENAME_1:
WEBSHELL_PHP_Dynamic_Big
AUTHOR_1:
Arnim Rupp (https://github.com/ruppde)

It would be useful to check explicitely that there is no such webshell hidden in the Baculum code and to document this here, as other people may produce the same finding when using THOR or YARA with this ruleset.

Steps to Reproduce

download THOR Lite and get a free license
run THOR Lite on a system where the Bacula and Baculum source code is located

Additional Information

Name of the rules: WEBSHELL_PHP_Generic, webshell_php_dynamic_big

Source for the rule: https://github.com/ruppde/yara_rules

Tool used to produce the finding: THOR Lite Linux 64 bit (the Community Edition is free), https://www.nextron-systems.com/thor-lite/

Edited Sep 05, 2023 by Justin Case