Detect & Protect from PHP Backdoor Shells

Recently I undertook to investigate a web server hacking incident. It was an up-to-date debian machine (apache2+php5+mysql) that hosted a joomla CMS for a logistic website. The web admin has installed a joomla extension plugin which allows users to put custom php code in their articles. The attacker has “phished” valid login credentials for the website and published an article in which he has placed a simple php backdoor shell. The malicious code haven’t been noticed from the moderator that approved the article and so the article normally come to public.

After finishing the forensic procedures, I found out that the attacker used the weevely tool to generate the php backdoor shell that he injected in the article. I have never experienced a relative php backdoor incident resulting in a two-day exhaustive investigation. After finding the problem and cleaning the infection, I conducted a little research for php backdoor detection/protection tools & scripts.

 

In the rest of the article I will summarize the basic steps of detecting and protecting from php malicious code. Of course there exist different approaches in order to detect/protect web malicious activities according to the working framework, although I try to provide a general guideline using tools and procedures that I have used in my working cases.

 

Step1 – PHP Configuration Security Auditing

PHP is a very powerful programing language but the running configuration must be tweaked very carefully in order to minimize the security holes. There exist several security auditing tools and scripts, but from the ones I have tested I preferred the phpsecinfo tool. phpsecinfo parse the php configuration and generates a web report with detailed information and improvement suggestions.

Here are some screenshots from an example report:

 

 

Step2 – Running Web Platform Configuration

Popular web CMS and platforms offer a large amount of extensions and plugins for their users. Inexperienced web developers & web admins tend to use as many as possible plugins, believing that this will make the website more attractive or functional. Although this approach from the security perspective is wrong, because more plugins result in more security risks.

The developers of these famous web platforms follow the latest security exploits and create relative patches, securing the core platform from already known attacks. On the other side, plugins’ source code is not that regularly revised and tested for security holes putting into great danger the whole platform.

Usually, most plugins follow the above rule, although there exist developers that tactically update their plugins’ source code providing sufficient security level. So you must not install unnecessary plugins in your web platform and in case that you have to, carefully investigate plugin’s source code and how it affects the core platform. Additionally, you should manually install the plugins in order to careful look and tweak the configuration variables and paths.

 

 

Step3 – Detection Tools & Scripts

PHP backdoor shells use php functions that execute external commands in the host machine. PHP users know these functions, so with a simple grep script someone can detect the files in which such function occur and investigate them to see if their are legitimate or malicious. Here is a simple bash script that searches for system functions, file streams and base64 encrypted code:

 

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
 
#------------------------------------------------#
# Search web files for potential malicious code. #
#------------------------------------------------#
 
SEARCH_DIR="/var/www"
PATTERNS="passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile"
 
grep -RPl --include=*.{php,txt} "($PATTERNS)" $SEARCH_DIR
 
exit 0

 

Going one step further from simple search scripts there exist NeoPI. NeoPI is a python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. I have tested NeoPI in the incident I mentioned, and the tool successfully located the malicious file and put it higher in the rank. Although, based on its statistical methods, NeoPI might put malicious files lower in the rank giving bigger risk percentage to legitimate files and disorientate your investigation.

 

For more advanced and comprehensive reports someone can turn into a malware scanner. In the incident that I examined I have used the LMD (Linux Malware Detect) scanner. This was the first time I used this tool and I have to say that I am very satisfied with its functionality. To furthermore test the tool, I created four other php backdoors using know scripts from pen-test frameworks, and LMD successfully found all of them.

 

And of course there exist the powerful ClamAV antivirus but I didn’t have time to setup it and test its results for the php backdoors that I mentioned. Although from what I have read in the web, it is very efficient and have successfully located php backdoors and malware code.

 

 

Step4 – Protection

Protection countermeasures are formed using the tools and information from the previous steps. Here are some bullets in the PHP configuration that sysadmins must pay attention:

    • allow_url_fopen: PHP file functions are allowed to include remote files from external FTP or HTTP locations. This option is enabled by default installation and is rarely used.
    • Dangerous PHP functions: Using the disable_functions field in the php.ini, disable all the dangerous PHP system functions (system, shell_exec, passthru etc) that might be used from malicious codes. Be careful with the rare cases in which some web platforms need some of these function.
    • open_basedir: Use this variable in the php.ini configuration to limit file operations to the defined directory and low.
    • web user permission: Carefully examine the web user access level and its permission.

 

By carefully editing the PHP security audit report options, adopting an automate malware detection tool and examining the bullets mentioned above, an adequate security level is established for your running web servers and platforms.

 

 

 

 

 

A. Bechtsoudis

4 Comments

shipcodeSeptember 29th, 2011 at 06:46

Nice tutorial you got here dude. Btw, I’m shipcode from ROOTCON(http://rootcon.org/) and I’m one of their bloggers(http://blog.rootcon.org/). I am also into information security and thanks for the heads up here.

vulnSeptember 23rd, 2012 at 05:22

make this a plugin for wordpress etc that will be cool if u want help if you have the time id like to chat about some idea and learn from an expert on certain things

anestisbSeptember 23rd, 2012 at 11:47

Actually i think that similar plugins for WordPress already exist. Attack-Scanner is under a lot of fame lately (I haven’t test it yet). Although, by reading such plugins’ features it seems that they might need slightly more privileges in a web server setup to work effectively. A cost that personally i’m not willing to pay.

Besides all i’m not a web/wordpress developer, so i’m not considering coding such plugins. Although, i would be happy to assist the people willing to work on it.

vulnSeptember 24th, 2012 at 23:29

i here you thanks for responding and yes you are right about privleges and even if you code right if wordpress screws up theres your setuid program for the taking i hear you thank you for responding