PHP Web Shell Backdoor Analyzing Scripts And Removing Malicious Codes

PHP Web Shell Backdoor: Analyzing Scripts And Removing Malicious Codes

Updated On:

PHP Web Shell Backdoor: PHP is the primary engine currently powering nearly any renowned CMS such as WordPress, Magento, Prestashop, etc. This server-side scripting language is so popular that it powers almost 80 percent of websites on the internet today. However, sites using PHP are also widely targeted by hackers as one exploit can work across all of them.

Often clever techniques are deployed to work maliciously behind the scenes. The PHP web shell backdoor is one such malicious script or program designed to infect your website secretly. PHP’s founder, Rasmus Lerdorf, asserts,

We’ve got a little more safety report out there other than some other languages. Almost all of these stuffs are practically local exploits, in the sense that you need to be on both the machine, and you need to be able to write PHP code.

new_releases

Threat Intelligence Platform (TIP): TIPs You Need During Cyber Threat Security

Table Of Contents

new_releases

Artificial Intelligence (AI) Voice Impersonation On Steroids – Means To Minimize Risks

What Is A PHP Web Shell Backdoor And Why Do I Get Infected?

These are basically malicious scripts and programs that are designed to perform a variety of malicious actions on your site. Simple web shells are command-based scripts. The PHP web shell enables remote management of your PHP server’s administration by attackers. The attackers can access it using a URL on the internet. More advanced web shells can however access the memory directly.

Often, these infections reoccur even after cleanup as they are designed for maintaining persistent access. Most of the backdoor uses various obfuscation techniques to evade detection. Some even implements complex algorithms to hide directly in memory.

new_releases

Sector-Based Security: Bad Bots Targeting The E-Commerce Sector

A PHP web shell can survive in your website in several forms. A few usual security factors, however, that allows towards this infection:

  • Weak or default Passwords.
  • Unrestricted PHP file upload.
  • Poor PHP site coding, enabling invalidated input.
  • Outdated PHP version.
  • Improper PHP configurations.
  • Weak file permissions of sensitive files.
  • Improper error reporting and disclosure of code.

What Can A PHP Web Shell Backdoor Do?

The generic backdoor PHP web shell enables attackers to operate commands like an administrator on your PHP server. At times, the attackers may also attempt to escalate privileges. Using this shell, the attackers can:

new_releases

Best Free Cloud Web Hosting with cPanel & Support 2019

  • Access any type of data on your server.
  • May use your server to mine cryptocurrency.
  • Can turn your server into a bot which obeys instructions from the attacker to churn out large amounts of spam.
  • And many more evil things!

PHP Web Shell Backdoor: Code Analysis

A generic backdoor PHP web shell operates with the following methods:

The first step is to initialize the system variables. The web shell implies that almost no errors are printed out to avoid detection while doing so. This is done by creating an x_die function. Whenever there is an error, messages regarding the issue are passed through this function. This function then uses the die() function of PHP to exit the current script.

PHP Web Shell Backdoor Code Analysis

The next step is to check if the web shell can execute commands on the PHP server. For this, the generic backdoor PHP web shell checks various executing functions of PHP like the exec(), system(), etc.

For this, the generic PHP web shell checks various executing functions of PHP like the exec(), system(), etc.

Thereafter, the PHP web shell verifies the system configurations and checks if those can be altered by the web shell. In case the configuration functions are not present, it simply passes a ‘can not config‘ message to the x_die() function.

new_releases

Information Security: Objectives, Types, And Applications Simplified

In case the configuration functions are not present, it simply passes a ‘can not config‘ message to the x_die() function.

Thereafter, it also checks for the safe mode on the PHP server. Safe mode of PHP is often deployed on shared servers. This is a feature which verifies that the process which has opened a particular file is run by a verified user. The web shell will stop much farther execution if the safe mode is activated.

if(x_ini_get(‘safe_mode’)){x_die(‘can not exec: safe mode active’);}

When all of these prerequisites are achieved, the web shell employs Windows Systems’ Superfetch service to execute commands.

new_releases

What Is Sircam Virus And How Its Legacy Began?

When all of these prerequisites are achieved, the web shell employs Windows Systems' Superfetch service to execute commands.

Detection And Removal

  1. Look up if you were infected with the generic backdoor PHP web shell by searching throughout all your PHP file’s source code.
  2. If it is hard to search manually, then choose the Grep command.
  3. Use the grep commands to search the dump of the web shell code inside your folders by this code:
    grep -r "dump of web shell" /folderToSearch/
  4. Just using the technique, it is possible to detect the generic web shell. However, this method has its own limitations as it can search only for one type of generic web shell.
  5. new_releases

    How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

  6. To search for other web shells you need to know the source code. To overcome this problem, you can use web shell detecting tools available for free on GitHub.
  7. Must not forget to inspect logs to detect the PHP web shell for any highly suspicious HTTP requests. Once you’ve identified it, remove the web shell.
  8. That when a PHP web shell dump is identified in any sensitive documents, contact any good web security specialist to remove and analyze further malware.
new_releases

Formjacking Now Reports Most Of Web Data Breach Infringements

Mitigation

  1. Stay up to date with your PHP version.
  2. Avoid using the default or weak passwords.
  3. Always check for any site misconfigurations.
  4. Ensure the file permissions are never set to 777 as it can allow anyone to edit your files!
  5. Ensure that while developing your PHP file, secure coding standards are met.
  6. Go for a comprehensive penetration testing to discover vulnerabilities in your PHP site.

Conclusion
It’s not just enough to erase the web shell to secure your website. Using the vulnerability on your website, the attackers can always upload a new shell. For an average user, detecting this vulnerability may not be easy. So, it is recommended to use a security solution to automate this process.

, , , , , , , , , , , , ,
Previous Post
Project Soli, Remastered: How Radar-Detected Gestures Might Differ Pixel 4
Next Post
WordPress Website “1800ForBail – One+Number” Or “1800ForBail”, “Blogname” Hack

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest