My Life as an Internet Security Consultant

Tuesday, August 22, 2006

Detecting PHP Backdoors

c99shell.php
r57shell.php
php_shell.php
myshell.php
php_backdoor.php

http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php

These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:

[root@me web]# grep –n –r 'system(' *

Most backdoors uses a system() function to execute a command.

But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.