Detecting PHP Backdoors
c99shell.php
r57shell.php
php_shell.php
myshell.php
php_backdoor.php
http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php
These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:
[root@me web]# grep –n –r 'system(' *
Most backdoors uses a system() function to execute a command.
But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.
r57shell.php
php_shell.php
myshell.php
php_backdoor.php
http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php
These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:
[root@me web]# grep –n –r 'system(' *
Most backdoors uses a system() function to execute a command.
But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.
posted by James at
12:08 AM
|
36 comments
