/ Tanpa Label / Detect WebShell on PHP Web Server (how to)

Rabu, 28 Juni 2017

Detect WebShell on PHP Web Server (how to)

View the access log

See if there’s a file upload (POST method):
 
IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  
IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"

The default log format for nginx is:
 
access_log logs/access.log  
access_log logs/access.log combined

Find files containing malicious php code

Find the recent changes in the php file

  • find . -type f -name '*.php' -mtime -7

    -type f means that the normal search of normal files
    -mtime -7 that 7 * 24 hours to modify the file
The results may be as follows:
 
./uploads/monthly_04_2008/index.php
./uploads/monthly_10_2008/index.php
./uploads/monthly_08_2009/template.php
./uploads/monthly_02_2013/index.php

Find out if there is any suspected code in the file

find . -type f -name '*.php' | xargs grep -l "eval *(" --color  
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color  
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color  
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
Note: Many commands do not support pipelining parameters, but in fact need this, so it used the xargs command, the command can be used to pipe transmission parameters; grep-l said that only contains a string of file names, if removed – L The contents of the line matching the specified string are displayed
The meaning of several special strings:
  • eval() The string in accordance with the PHP code to implement, is the most common php Trojans
  • base64_decode() Will be the base64 string decoding, attack time payload is base64 encoding, then this function is useless
  • gzinflate() The string decompression processing, when the attack with gzdeflate payload compression, the use of this function for decompression
  • str_rot13() The string is encoded with rot13
Regular expressions can also be used to search for documents, can find code:
 
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("  

The following explains webshell commonly used functions:
  • mail() Can be used to send spam to the site user
  • fsockopen() Open a network connection or a Unix socket connection that can be used to send remote requests for payload
  • pfsockopen() And fsockopen () role similar
  • exec() Command execution function
  • system() With the exec ()
  • passthru() With the exec ()
  • stream_socket_client() To establish a remote connection, examples are as follows:
<?php  
$fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30);  
if (!$fp) {  
echo "$errstr ($errno)<br />\n";  
} else {  
fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");  
while (!feof($fp)) {  
echo fgets($fp, 1024);  
}  
fclose($fp);  
}  
?>
  • preg_replace()When the regular expression is modified by the modifier “e”, the replacement string needs to be executed in accordance with the php code before the substitution. This also needs to be taken into account. In this case,
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color

Compares the code file

This situation requires a clean code, the code and the code being used to compare. E.g
diff -r wordpress-clean/ wordpress-compromised/ -x wp-content
The above example compares wordpress-clean / and wordpress-comprised directories, and the directory wp-content / subdirectory does not compare.

Search for writable directories

Look at the list of whether there are suspicious files, the following script to find the permissions for the 777 directory exists php file

#!/bin/bash
search_dir=$(pwd)  
writable_dirs=$(find $search_dir -type d -perm 0777)  
for dir in $writable_dirs  
do
#echo $dir
find $dir -type f -name '*.php'
done

Hackers often insert jpg php code in the document, so when inquiries in these directories have to query jpg files:
 
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Note: -iname said the file name is not case-sensitive, grep-i also said that case-insensitive

The iframe tag is detected

Hackers often do is to embed iframe tags, so you can view the source code of the page, and search for the existence of iframe tags, you can use the following command:
 
grep -i '<iframe' mywebsite.txt

For dynamically generated pages can be used ff of Live HTTP Headers plug-in, and then downloaded to the source to find out whether the presence of iframe tag

Finds if there is a sensitive string in the database

Including% base64 _%,% eval (% <and so on some of the above-mentioned keywords

0x07 Examine the .htaccess file

Whether it contains auto_prepend_file and auto_append_file, use the following command
 
find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file  
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file

Auto_prepend_file role is to load the current script file before loading the php script auto_append_file role is to load the current script file, and then load the php script. Hackers if so modified. Htaccess file, you can access. Htaccess directory php script, you want to load the load on the malicious script.
Htaccess file can also be used to hijack the traffic to the site to the hacker’s Web site,
 
RewriteCond %{HTTP_USER_AGENT}^.*hacker.*$  
Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]
 
 
source : http://ins-cyber.blogspot.co.id/2017/06/detect-webshell-on-php-web-server-how-to.html

Bagikan

Jangan lewatkan

Detect WebShell on PHP Web Server (how to)
4/ 5
Oleh
Komentar

Subscribe via email

Suka dengan artikel di atas? Tambahkan email Anda untuk berlangganan.

Langganan: Posting Komentar (Atom)