Published on July 27th, 2018 📆 | 3163 Views ⚑0
Hackers Hiding Web Shell Logins in Fake HTTP Error Pages
Malware distributors, hackers, and phishing scammers are continuing to use the practice of hiding login forms for their web shells in fake HTTP error documents. These pages pretend to be HTTP errors such as 404 Not Found or Forbidden, while in reality they are login pages that allow an attacker to access a web shell to issue commands on the server.
While this practice is not new, phishing expert & security researcher nullcookies has noticed an increase in the use of these types of fake error pages to hide web shells. These web shells allow the hackers to upload malware, phishing scripts, or other software.
"The technique isn't new," nullcookies told Bleeping Computer. "but what I find noteworthy is the increasing frequency of them and how it's easy for someone to miss them unless they're familiar with the technique."
For this article, nullcookies sent me some example urls of pages that are utilizing these fake error pages and at first glance it's easy to see how someone would think they are just a standard 404 error page and that the page doesn't exist.
If we dig deeper, though, and look at the source of the page, you can see a very different page lurking in the background. The source shows that there is a login form on the page, but it is hidden using CSS that places the login prompt at the very bottom of the page and removes the scroll bar so you wouldn't think to scroll down to see it.
If you use the page down key, though, the login form quickly becomes visible.
Another page we were sent uses the "Forbidden" error message. Like the fake 404 page, this too is hiding a login form in it, but once again the attackers use creative methods to hide the input field.
In this page, the attacker hides the form field altogether, so even if you attempt to scroll down you won't see it. Instead you need to access the form field by knowing exactly where it is or tabbing into it.
According to nullcookies, web shells hiding behind these fake error pages pose a particular danger to system administrators who may clean up a phishing install, but not realize another page on the site is hiding a web shell that could allow an attacker to easily reinfect the site.
"Some Guy at Some Company will miss those panels because they won't realize there's something to delete in the first place," nullcookies told Bleeping Computer. "One of the reasons that some phishes keep re-appearing even after the webmaster or whoever takes down the phish and attempts to lock everything down.
With that said, if you ever receive reports that your site is compromised and you investigate it, don't automatically assume an error page is legitimate and investigate further by examining the source.