Archive

Posts Tagged ‘Web Security’

How to find backdoor PHP shell scripts on a server

Czerwiec 17, 2012 1 komentarz

How to find backdoor PHP shell scripts on a server

When hackers get access to your website server, they sometimes install a backdoor shell script designed to allow them to regain entry even after you’ve cleaned up the site, repaired the original security hole that allowed the hack to occur, otherwise improved site security, and even installed measures to try to lock the hackers out.

A backdoor script can be called from a browser like any other web page. It gives its user a web page interface where they can download and upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and pass operating system commands through to the operating system.

One way to find these scripts is by searching website access logs for the suspicious lines that can be generated when someone uses the scripts to modify site files.

Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:

  • passthru
  • shell_exec
  • system
  • phpinfo
  • base64_decode
  • edoced_46esab
  • chmod
  • mkdir
  • „ (backticks with an operating system command between them)
  • fopen
  • fclose
  • readfile

On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.

If you have command line access to your server (SSH), there’s no problem. You can run it from the command line and have the results displayed to you.

Sample text searches for suspicious PHP code.

Do the search once for each of the suggested PHP keywords listed above.

grep -Rn "mkdir *(" public_html/

Or

grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/

Or we can use the following script ( source )

#!/usr/bin/perl -w
#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = <a href="http://perldoc.perl.org/functions/shift.html">shift</a>  || 10;
my $folder = <a href="http://perldoc.perl.org/functions/shift.html">shift</a> || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || <a href="http://perldoc.perl.org/functions/die.html">die</a> "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = <a href="http://perldoc.perl.org/functions/grep.html">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = <a href="http://perldoc.perl.org/functions/grep.html">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || (<a href="http://perldoc.perl.org/functions/print.html">print</a> "can not open datei $File::Find::name: $!" && next);
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="http://perldoc.perl.org/functions/grep.html">grep</a> /(\<\?php|include(\ |\())/i, <$IN>;
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }
}

Source:

Web Shell Detection Using NeoPI

Kategorie:BackDoor Tags: ,