How to Detect WebShell on PHP Web Server

BY DO SON · PUBLISHED DECEMBER 29, 2016 · UPDATED SEPTEMBER 1, 2017

View the access log

See if there’s a file upload (POST method):

IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  
IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  

The default log format for nginx is:

access_log logs/access.log  
access_log logs/access.log combined  

Find files containing malicious php code

Find the recent changes in the php file

• find . -type f -name '*.php' -mtime -7  
  

  -type f means that the normal search of normal files
  -mtime -7 that 7 * 24 hours to modify the file

The results may be as follows:

./uploads/monthly_04_2008/index.php
./uploads/monthly_10_2008/index.php
./uploads/monthly_08_2009/template.php
./uploads/monthly_02_2013/index.php

Find out if there is any suspected code in the file

find . -type f -name '*.php' | xargs grep -l "eval *(" --color  
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color  
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color  
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color 

Note: Many commands do not support pipelining parameters, but in fact need this, so it used the xargs command, the command can be used to pipe transmission parameters; grep-l said that only contains a string of file names, if removed – L The contents of the line matching the specified string are displayed

The meaning of several special strings:

• eval() The string in accordance with the PHP code to implement, is the most common php Trojans
• base64_decode() Will be the base64 string decoding, attack time payload is base64 encoding, then this function is useless
• gzinflate() The string decompression processing, when the attack with gzdeflate payload compression, the use of this function for decompression
• str_rot13() The string is encoded with rot13

Regular expressions can also be used to search for documents, can find code:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("  

The following explains webshell commonly used functions:

• mail() Can be used to send spam to the site user
• fsockopen() Open a network connection or a Unix socket connection that can be used to send remote requests for payload
• pfsockopen() And fsockopen () role similar
• exec() Command execution function
• system() With the exec ()
• passthru() With the exec ()
• stream_socket_client() To establish a remote connection, examples are as follows:

<?php  
$fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30);  
if (!$fp) {  
    echo "$errstr ($errno)<br />\n";  
} else {  
    fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");  
    while (!feof($fp)) {  
        echo fgets($fp, 1024);  
    }  
    fclose($fp);  
}  
?>

• preg_replace()When the regular expression is modified by the modifier “e”, the replacement string needs to be executed in accordance with the php code before the substitution. This also needs to be taken into account. In this case,

find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color  

Compares the code file

This situation requires a clean code, the code and the code being used to compare. E.g

diff -r wordpress-clean/ wordpress-compromised/ -x wp-content

The above example compares wordpress-clean / and wordpress-comprised directories, and the directory wp-content / subdirectory does not compare.

Search for writable directories

Look at the list of whether there are suspicious files, the following script to find the permissions for the 777 directory exists php file

#!/bin/bash
search_dir=$(pwd)  
writable_dirs=$(find $search_dir -type d -perm 0777)  
for dir in $writable_dirs  
    do
        #echo $dir
        find $dir -type f -name '*.php'
done

Hackers often insert jpg php code in the document, so when inquiries in these directories have to query jpg files:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Note: -iname said the file name is not case-sensitive, grep-i also said that case-insensitive

The iframe tag is detected

Hackers often do is to embed iframe tags, so you can view the source code of the page, and search for the existence of iframe tags, you can use the following command:

grep -i '<iframe' mywebsite.txt

For dynamically generated pages can be used ff of Live HTTP Headers plug-in, and then downloaded to the source to find out whether the presence of iframe tag

Finds if there is a sensitive string in the database

Including% base64 _%,% eval (% <and so on some of the above-mentioned keywords

0x07 Examine the .htaccess file

Whether it contains auto_prepend_file and auto_append_file, use the following command

find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file  
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file

Auto_prepend_file role is to load the current script file before loading the php script auto_append_file role is to load the current script file, and then load the php script. Hackers if so modified. Htaccess file, you can access. Htaccess directory php script, you want to load the load on the malicious script.

Htaccess file can also be used to hijack the traffic to the site to the hacker’s Web site,

RewriteCond %{HTTP_USER_AGENT}^.*hacker.*$  
Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]

SHARE