Lets grep a Backdoor!

Comments Off on Lets grep a Backdoor!

August 23, 2013 by globz

Do you want to monitor your web server for malicious code…lets say a PHP backdoor?

Well there’s many ways of doing this task but here’s an easy one that you can setup in no time and in return increase your layers of defense.

Here’s a list of known functions/code related to backdoor :

apache_child_terminate
assert
base64_decode
bzopen
chgrp
chmod
chown
copy
create_function
curl_exec
curl_multi_exec
edoced_46esab
eval
exec
exif_imagetype
exif_read_data
exif_thumbnail
extract
fclose
file
file_exists
file_get_contents
file_put_contents
fileatime
filectime
filegroup
fileinode
filemtime
fileowner
fileperms
filesize
filetype
fopen
fsockopen
ftp_get
ftp_nb_get
ftp_nb_put
ftp_put
get_meta_tags
getimagesize
glob
gzfile
gzopen
hash_file
hash_hmac_file
hash_update_file
highlight_file
image2wbmp
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
imagegd
imagegd2
imagegif
imagejpeg
imagepng
imagewbmp
imagexbm
ini_set
iptcembed
is_dir
is_executable
is_file
is_link
is_readable
is_uploaded_file
is_writable
is_writeable
lchgrp
lchown
link
linkinfo
lstat
mail
md5_file
mkdir
move_uploaded_file
parse_ini_file
parse_str
passthru
pathinfo
pcntl_exec
pfsockopen
php_strip_whitespace
phpinfo
popen
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
preg_replace
proc_close
proc_nice
proc_open
proc_terminate
putenv
python_eval
read_exif_data
readfile
readgzfile
readlink
realpath
rename
rmdir
sha1_file
shell_exec
show_source
stat
str_replace
symlink
system
tcpflood
tempnam
tmpfile
touch
udpflood
unlink

With this list we can summon grep and create a simple cron job to search for those patterns at a regular interval.

This is very useful but grep will create a lot of noises and we don’t want to go through the logs manually to find backdoors, this is where diff will come in handy!

 

Lets configure a good and reliable setup with minimal noises and easy reading.

Here’s the plan :

tl;dr :

#Use grep to scan all PHP and txt files and output everything inside >> source.txt

#Use grep to scan all PHP and txt files and output everything inside >> results.txt

#Use diff to compare source.txt against results.txt and if it tripped alert me!

In details :

We first need a trusted source to verify each new results against it, I recommend running grep with the patterns list on your root folder from a backup location or any places that never been running live on the web then output everything to source.txt

Now lets create a Backdoor Monitoring script :

 

#!/bin/bash

#————————————————#
# Backdoor Monitoring script
#————————————————#

SEARCH_DIR=”your_path/”

grep -Rcw –include=*.{php,txt} -f patterns.txt $SEARCH_DIR >>logs/results.txt

exit 0

As you can see this script will search every php and txt files for each items listed in patterns.txt (the list above) and output the data in results.txt

 

Then we can monitor the results with the following script :

#!/bin/bash

#————————————————#
# Diff Backdoor Monitoring results
#————————————————#

if diff logs/source.txt logs/results.txt ; then
rm logs/results.txt
else
echo ‘diff tripped on results.txt != source.txt Please investigate!’
fi

Remember “source.txt” ? diff will use it and compare results.txt against it and if it matches then it will delete results.txt and the next time our Backdoor monitoring script runs it will create another results.txt and diff will compare it once again and so forth…until it trip!

The day that diff will trip on your results you will see the following output :

 

26c26
< script/autocomplete.php:4

> script/autocomplete.php:6
42c42
< parsers/grooveshark_parser.php:5

> parsers/grooveshark_parser.php:6
57c57
< register/index.php:2

> register/index.php:3

diff tripped on results.txt != source.txt Please investigate!

This is easy to read and understand, lets take a look at this example :

  • script/autocomplete.php:4

vs

  • script/autocomplete.php:6

The source file has 4 regexes matches from our patterns list, remember we know for sure there’s no actual backdoors inside source.txt those are simply “false positive” that we trust.

When diff compared both files it noticed an increasement from 4 to 6 in autocomplete.php therefor it tripped and sent us an alert!

Maybe it wasn’t a real backdoor, you will have to investigate the files yourself because you might have created more “false positive” by adding new lines of codes or new files.

if that’s the case and all the files from your report do not contain a backdoor, simply rename results.txt to source.txt and voila you have a new updated source file!

Now you can simply monitor this log and inspect suspicious files then rebuild your source whenever you do changes to your root folder.

 

Tips:

#Read the following page to learn more details about grep syntax

#Read the following page to learn more details about diff syntax

#Create a logs folder and change permissions to 700

#Change permission for both scripts to 700

#Pipe the output of your cron job to |mail


Comments Off on Lets grep a Backdoor!

Sorry, comments are closed.