Linux PHP and Website Security

Scanning Backdoor Shells and Rootkits in Your Website

Is your website acting weird and kinda slow? Is your netstat showing a connection established to IRC (Internet Relay Chat)?

Then your box could possibly be backdoored or uploaded with a rootkit or a bot script. Well you should fix it now by removing the rootkits, backdoors, and malicious scripts or else you could get banned or blacklisted.

Well because most of the websites are hosted in Linux and BSD then we willl kill those backdoors using the command line kung-fus and Open Source tools.

Ninja Tools

There are many Open Source and Free tools today that you can download. You can try out Bothunter which is a network-based botnet diagnosis system which tracks the two-way communication flows between your personal computer and the Internet.

And because we need to make sure we are totally safe from common rootkits which may not be detected by the Bothunter, we can use Chkrootkit which is another Open Source program which is fully tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x, 5.x and 7.x, OpenBSD 2.x, 3.x and 4.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X or you can download the popular Rootkit Hunter (Open Source GPL Rootkit Scanner).

Command Line Kung-Fu

Just this afternoon, a friend of mine from CEGNULUG (Cebu GNU Linux User Group) asked me about the success rate of scanners and rootkit hunters and I told him ‘50%’. Why? Take for example an antivirus, it could be that Antivirus A could detect a certain virus or malware that Antivirus B could not detect and Antivirus B could detect a sample RAT (Remote Access Tool) that Antivirus A could not detect.

And so the command line in the terminal comes to the rescue! We are going to search for a common list of PHP functions that are used by most backdoor shells and malicious scripts. Now for PHP beginners, please don’t just delete a file just because it shows up in the list after you executed a command line that I will be writing later. Use your common sense while inspecting certain code detected by our command line kung-fu scripts.Below are some PHP functions that most PHP Backdoor shells use:

passthru
shell_exec
system
phpinfo
base64_decode
edoced_46esab
chmod
mkdir

fopen
fclose
readfile

Alright, let’s start inspecting our box:

1. Determine the default directory by typing:

pwd

The resuts should show something like this: /home/id or /root

2.  Use grep to search for suspicious files using the common scripts that most backdoor shells use:

grep -Rn “passthru *(” home/id

grep -Rn “shell_exec *(” /var/www

After executing the script, you should be able to see files with matches on the functions that were grepped. And you could also combine all the searches by issuing a command like this:

grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *(” public_html

Reference:

http://25yearsofprogramming.com/blog/2010/20100315.htm

Leave a Reply