Redik is a multi-purpose first stage web shell that provides HTTP C&C communication and DNS data exfiltration for later infections on the compromised server.
- The attacker exploits an arbitrary vulnerability and sends an HTTP POST request with the obfuscated Redik PHP web shell contained in the request body. The server replies with a success response specific to the particular vulnerability.
- The attacker sends an HTTP POST request to (re)configure the web shell. The request body can contain settings in multi-part form or www-form-urlencoded.
- The server replies with an HTTP 302 Found response. The location header is set to the new/modified web shell. The attacker has successfully (re)configured the installed web shell.
- The attacker sends an HTTP GET request to the web shell to retrieve the current configuration.
- The server replies with HTTP 200 OK and HTML forms containing the current configuration. HTML forms allow the attacker to change the configuration or upload additional files.
- The attacker sends an HTTP POST request to the web shell. The request body contains an executable PHP file.
- The server replies with an HTTP 200 OK response and message to indicate the successful file upload.
- The attacker sends an HTTP POST request to the web shell. The request body contains the filename and content for the creation of an executable PHP file.
- The server replies with an HTTP 200 OK response and message to indicate the successful file creation.
- The compromised server makes an outbound HTTP GET request to the attacker-controlled resource that acts as C&C.
The attacker must be able to inject the malicious code onto the web server through another vulnerability or exploit.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.