PHP Web Shell Backdoor Analyzing Scripts And Removing Malicious Codes

PHP Web Shell Backdoor: Analyzing Scripts And Removing Malicious Codes

Last Updated: 13th August, 2022

PHP Web Shell Backdoor: PHP is the primary engine currently powering nearly any renowned CMS such as WordPress, Magento, Prestashop, etc. This server-side scripting language is so popular that it powers almost 80 percent of websites on the internet today. However, sites using PHP are also widely targeted by hackers as one exploit can work across all of them.

Often clever techniques are deployed to work maliciously behind the scenes. The PHP web shell backdoor is one such malicious script or program designed to infect your website secretly. PHP’s founder, Rasmus Lerdorf, asserts,

We’ve got a little more safety report out there other than some other languages. Almost all of these stuffs are practically local exploits, in the sense that you need to be on both the machine, and you need to be able to write PHP code.


The Ultimate Guide to WordPress and GDPR Compliance: Made Easy

Table Of Contents


The ‘New Normal’: How To Adapt With Prior And Get Along

What Is A PHP Web Shell Backdoor And Why Do I Get Infected?

These are basically malicious scripts and programs that are designed to perform a variety of malicious actions on your site. Simple web shells are command-based scripts. The PHP web shell enables remote management of your PHP server’s administration by attackers. The attackers can access it using a URL on the internet. More advanced web shells can however access the memory directly.

Often, these infections reoccur even after cleanup as they are designed for maintaining persistent access. Most of the backdoor uses various obfuscation techniques to evade detection. Some even implements complex algorithms to hide directly in memory.


Google Fixes Critical PNG Security Bug, Though Billions of Android Users Still Vulnerable

A PHP web shell can survive in your website in several forms. A few usual security factors, however, that allows towards this infection:

  • Weak or default Passwords.
  • Unrestricted PHP file upload.
  • Poor PHP site coding, enabling invalidated input.
  • Outdated PHP version.
  • Improper PHP configurations.
  • Weak file permissions of sensitive files.
  • Improper error reporting and disclosure of code.

What Can A PHP Web Shell Backdoor Do?

The generic backdoor PHP web shell enables attackers to operate commands like an administrator on your PHP server. At times, the attackers may also attempt to escalate privileges. Using this shell, the attackers can:


WordPress Optimization Guide With Cloudflare Integration 2023

  • Access any type of data on your server.
  • May use your server to mine cryptocurrency.
  • Can turn your server into a bot which obeys instructions from the attacker to churn out large amounts of spam.
  • And many more evil things!

PHP Web Shell Backdoor: Code Analysis

A generic backdoor PHP web shell operates with the following methods:

The first step is to initialize the system variables. The web shell implies that almost no errors are printed out to avoid detection while doing so. This is done by creating an x_die function. Whenever there is an error, messages regarding the issue are passed through this function. This function then uses the die() function of PHP to exit the current script.

PHP Web Shell Backdoor Code Analysis

The next step is to check if the web shell can execute commands on the PHP server. For this, the generic backdoor PHP web shell checks various executing functions of PHP like the exec(), system(), etc.

For this, the generic PHP web shell checks various executing functions of PHP like the exec(), system(), etc.

Thereafter, the PHP web shell verifies the system configurations and checks if those can be altered by the web shell. In case the configuration functions are not present, it simply passes a ‘can not config‘ message to the x_die() function.


Does Your Enterprise Cyber Risk Management Really Good Enough?

In case the configuration functions are not present, it simply passes a ‘can not config‘ message to the x_die() function.

Thereafter, it also checks for the safe mode on the PHP server. Safe mode of PHP is often deployed on shared servers. This is a feature which verifies that the process which has opened a particular file is run by a verified user. The web shell will stop much farther execution if the safe mode is activated.

if(x_ini_get(‘safe_mode’)){x_die(‘can not exec: safe mode active’);}

When all of these prerequisites are achieved, the web shell employs Windows Systems’ Superfetch service to execute commands.


How To Install Let’s Encrypt SSL Certificate Manually In cPanel

When all of these prerequisites are achieved, the web shell employs Windows Systems' Superfetch service to execute commands.

Detection And Removal

  1. Look up if you were infected with the generic backdoor PHP web shell by searching throughout all your PHP file’s source code.
  2. If it is hard to search manually, then choose the Grep command.
  3. Use the grep commands to search the dump of the web shell code inside your folders by this code:
    grep -r "dump of web shell" /folderToSearch/
  4. Just using the technique, it is possible to detect the generic web shell. However, this method has its own limitations as it can search only for one type of generic web shell.
  5. new_releases

    Security Assessments: Importance Of Choosing The Right Cloud Service Providers

  6. To search for other web shells you need to know the source code. To overcome this problem, you can use web shell detecting tools available for free on GitHub.
  7. Must not forget to inspect logs to detect the PHP web shell for any highly suspicious HTTP requests. Once you’ve identified it, remove the web shell.
  8. That when a PHP web shell dump is identified in any sensitive documents, contact any good web security specialist to remove and analyze further malware.

Artificial Intelligence (AI) And Machine Learning (ML): Where Are Humans?


  1. Stay up to date with your PHP version.
  2. Avoid using the default or weak passwords.
  3. Always check for any site misconfigurations.
  4. Ensure the file permissions are never set to 777 as it can allow anyone to edit your files!
  5. Ensure that while developing your PHP file, secure coding standards are met.
  6. Go for a comprehensive penetration testing to discover vulnerabilities in your PHP site.

It’s not just enough to erase the web shell to secure your website. Using the vulnerability on your website, the attackers can always upload a new shell. For an average user, detecting this vulnerability may not be easy. So, it is recommended to use a security solution to automate this process.

, , , , , , , , , , , , ,
Previous Post
Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4
Next Post
WordPress Website “1800ForBail – One+Number” Or “1800ForBail”, “Blogname” Hack

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed