Detecting PHP Backdoors
c99shell.php
r57shell.php
php_shell.php
myshell.php
php_backdoor.php
http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php
These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:
[root@me web]# grep –n –r 'system(' *
Most backdoors uses a system() function to execute a command.
But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.
r57shell.php
php_shell.php
myshell.php
php_backdoor.php
http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php
These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:
[root@me web]# grep –n –r 'system(' *
Most backdoors uses a system() function to execute a command.
But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.
posted by James at
12:08 AM
2 Comments:
I've just had an issue r57shell being added to my server thanks to it being supplied less then secure.
Searching google, it looks like quite the common script and a lot of people haven't bothered to fix it.
http://www.google.com/search?hl=en&lr=&q=intitle%3Ar57shell+%2Buname+-bbpress+-ihackstuff&btnG=Search
By
MrEViL, at 3:10 PM
Further to my last comment.
We found that r57shell.php had been added.
Our server used Suexec to include PHP5 via a CGI-Wrapper, and it appears that this was used to get the root kit on to the sever.
The site that had the original scripts that got through the security hole has since been removed by myself (words like Computer Misuse act and Criminal liability get sites removed quickly)
I've since found no real solution to fixing this problem as to use the SUEXEC method of inclusion requires that PHPSafeMode is disabled per account.
So much so I've ended up just installing PHP5 as the base, but as you would expect after an attack the servers receiving a hell of a lot of attempts to brute force the shell.
By
MrEViL, at 1:45 AM
Post a Comment
<< Home