Forum Thread: (Python Toolkit) Detect Web Shells and Backdoors and Find Malicious PHP Scripts in Your Site

Hello everyone!

Before I begin, I've to say that this is my first "HOW-TO" on null-byte. Actually I'm new here, also excuse my weak English. Let's start!

As described in the title, I'm gonna introduce to you my script that I've just put on GitHub. A smart toolkit that will find and identify PHP shells, backdoors and malicious/hidden and even suspicious scripts in your site files. If you don't know what a backdoor is. Well, it's a back-door!

A backdoor shell is a malicious piece of code (e.g. PHP, Python, Ruby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own.

Got it! a well-known script like C99, is a backdoor. Now you understand what a backdoor is, but wait! why?

Frequently if a hacker gets access to your website they will install a "backdoor" designed to allow them to hack your site again even after you've cleaned up the site, repaired the vulnerability that allowed them to hack the site, changed passwords, updated CMS/themes/ plugins, installed security plugins, etc. Until it is found and removed a "backdoor" is going to provide the hacker with access to your site.

But it doesn't have to be a like "C99" or "r57" shell, here is an example of a tiny yet malicious backdoor:
<?php @passthru($_GET'c'); ?>

This function used to execute a system command like ifconfig or ls, so imagine the way you can detect this little boy in a website with thousands of PHP files. Well it's not that hard for an expert or a man who knows what he do. I agree that grep tool is great... but, comparing to the ways backdoors are being hidden, it's useless. I'm gonna explain why and provide more information but after explaining our toolkit and the way it works.

I call it PHP-backdoor-detector, you can view source code and download it in its GitHub page here. What it does basically is scan all your site files including PHP, JavaScript, CSS...etc in order to find any, any, I mean any! suspicious or malicious scripts/codes/expressions/behaviors. All you have to do is point it to the root directory of your website (or any directory that contains the files that need to be scanned) and drink your coffee...

What make it special than other tools and scripts out there is most of them use "web shells" signature databases to identify webshells. But as I said before, even a kid will easily find a workaround -easily! (read until end to know how).

What about Anti-viruses? the problem with them is 99% of them won't detect even malicious PHP functions like system or exec or eval... and so on.

I tested my own application and compare it to others (and also anti-viruses) and the surprise was that no one of them detected a good backdoor like the ones that weevely generate (it is commonly used for web application post exploitation...) but my tool do detect it! cool, right?

But that doesn't mean that I do not use APIs for those services, so that the toolkit will be much powerful.

  • Ok enough boring details. What are the requirements?

All you need is python2 at least installed and the requests library (already installed in most linux based distributions like kali linux and backbox)

(optional) if you want more checks from known and top anti-viruses you can signup at virustotal and copy your api key and put it in variable apiKey in the script at line 115. So that each file will be also checked by them.

  • How to use it?

Simply open terminal in the same folder as the php-backdoor-detector.py file, and enter the following command:
python php-backdoor-detector.py /var/www/html/evil
(optional) you may want to chmod the script with:
chmod +x php-backdoor-detector.py
To make it executable, so that you can use it this way:
./php-backdoor-detector.py /var/www/html/evil

  • How to test it?

Just download some nasty PHP backdoors and shells (Deobfuscated and Obfuscated) and combine them with some innocent PHP scripts or CMS installation like WordPress. Or generate a weevely backdoor that considered hard to detect and put it also in scanned directory, something like:

weevely generate password /var/www/html/evil/editor/css/random/a/b/c/d/e/nice.php
And it will be caught!

Some of you may wonder why I mentioned JavaScript and CSS files...etc and why they are scanned. Simply because nothing is safe! the attacker may put this in a PHP file:

require('bootstrap.js');
and put this code in the bootstrap.js file:
<?php eval(...);

You got it, right? .htaccess can be used too. But I can't write more as this article is being Big and also I'm tired of typing!

The last example of an innocent look-like script:
<?php
$f="pa"."ss"."th"."ru";
$f($_REQUEST'x');
OR (last line):
${'f'}($_REQUEST'x');
And Yeah! it is detected by the script.

Finally I hope this is useful for someone, please don't hesitate to leave your comments and demands below and feel free to submit issues or improves to the project so that we can make it the "beast". Have a nice day, and once again excuse my English.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active