Malware distributors, hackers, and phishing scammers are continuing to use the practice of hiding login forms for their web shells in fake HTTP error documents. These pages pretend to be HTTP errors such as 404 Not Found or Forbidden, while in reality, they are login pages that allow an attacker to access a web shell to issue commands on the server.
While this practice is not new, phishing expert & security researcher nullcookies has noticed an increase in the use of these types of fake error pages to hide web shells. These web shells allow the hackers to upload malware, phishing scripts, or other software.
“The technique isn’t new,” nullcookies told Bleeping Computer. “but what I find noteworthy is the increasing frequency of them and how it’s easy for someone to miss them unless they’re familiar with the technique.”
For this article, nullcookies sent me some example URLs of pages that are utilizing these fake error pages and at first glance, it’s easy to see how someone would think they are just a standard 404 error page and that the page doesn’t exist.
Fake 404 Not Found page
If we dig deeper, though, and look at the source of the page, you can see a very different page lurking in the background. The source shows that there is a login form on the page, but it is hidden using CSS that places the login prompt at the very bottom of the page and removes the scroll bar so you wouldn’t think to scroll down to see it.
Fake 404 Not Found source
If you use the page down key, though, the login form quickly becomes visible.
Fake 404 Not Found login prompt
Another page we were sent uses the “Forbidden” error message. Like the fake 404 page, this too is hiding a login form in it, but once again the attackers use creative methods to hide the input field.
Fake Forbidden error page
In this page, the attacker hides the form field altogether, so even if you attempt to scroll down you won’t see it. Instead, you need to access the form field by knowing exactly where it is or tabbing into it.
Hidden password field
According to nullcookies, web shells hiding behind these fake error pages pose a particular danger to system administrators who may clean up a phishing install, but not realize another page on the site is hiding a web shell that could allow an attacker to easily reinfect the site.
“Some Guy at Some Company will miss those panels because they won’t realize there’s something to delete in the first place,” nullcookies told Bleeping Computer. “One of the reasons that some phishes keep re-appearing even after the webmaster or whoever takes down the phish and attempts to lock everything down.
With that said, if you ever receive reports that your site is compromised and you investigate it, don’t automatically assume an error page is legitimate and investigate further by examining the source.