Sunday, 12 October 2014

Backdoors on Web Applications

There are different types of backdoors being used and deployed, depending on what kind of system/service is being targeted, how stealth it needs to be and how persistent. In this instance, we are discussing backdoors being uploaded through Web Applications to your Web Server, in order to provide access to unauthorised third-parties. 

Once a system is hacked, it instantly makes sense to install/upload a "backdoor". This action maximises the hacker's chances into maintaining the capability of having unauthorized remote access to this particular system at a later time. A system may be updated, a vulnerability may be patched, a security hole may be closed, a misconfiguration may be fixed. However, if a backdoor is well hidden then it is not easy to notice and to remove. Moreover, fixing, updating and patching your system will not necessarily remove or identify the backdoor. 

A backdoor on a Web Application may be called from a browser, like any other web page. It provides the nessessary interface to upload/download additional files, view/modify existing files, retrieve system information, pass commands to the Operating System and automate a number of actions, such as performing a defacement and reporting it to zone-h [1] 

What can you do:
Look through your log files for suspicious requests/traffic.
If possible, have a script running which checks for unknown files/directories in the file structure. 
Also, you may look within the known files for commands or pieces of code which should not be there. 

A quick way to search for commands that usually are not being used in a legitimate script on your Web Server is to run the following command:
grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/myWebsite/

However, sometimes the backdoor is encoded/obfuscated in order to avoid being detected. For example, a custom PHP web shell may be obfuscated and also ecrypted using a python script called Weevely. 
python weevely.py -g -o backdoor.php -p password

In that case the obfuscated code looks similar to this:
<?php
eval(base64_decode('fU0VSVRQX1JFRK.....a lot more characters in here.....mhKT09yAmJiBjb3ZGUo'));
?>
So, in this case the search should focus on finding the correct functions:
grep -RPn "(eval|base64_decode) *\(" /var/www/myWebsite/

In case you locate such a file, you may use unphp.net [2] to try to convert the obfuscated code, in human readable code. 

One of the most known web shells is the C99.php [5] which apparently has been found to have a backdoor itself!!! More specifically, to bypass authentication add: "?c99shcook[login]=0" to the URL e.g. http://127.0.0.1/c99.php?c99shcook[login]=0
Also, a basic ASP.NET shell that called aspxshell.aspx, once uploaded to a server, can be used to execute shell commands and upload/download/delete files [6]. 

CAUTION: Before you start browsing the web for known backdoor shells, be warned. Some of them have been "backdoored" intentionally
You must read this blog-post on thehackerblog.com before you download anythingwhich explains it best [7].
If you have read the above, then you may proceed at you own risk to these sites and take a look a the shells being offered: www[.]r57.gen[.]tr. / www[.]fulltools[.]net 


Have you heard about NeoPI?
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.

NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. It also presents a “general” score derived from file rankings within the individual tests. [4]

[1] http://www.zone-h.org/archive
[2] http://www.unphp.net
[3] http://www.exploit-db.com/exploits/34025/
[4] https://github.com/Neohapsis/NeoPI
[5] http://packetstormsecurity.com/files/download/69206/c99.tgz
[6] http://packetstormsecurity.com/UNIX/penetration/aspxshell.aspx.txt
[7] http://thehackerblog.com/hacking-script-kiddies-r57-gen-tr-shells-are-backdoored-in-a-way-you-probably-wouldnt-guess/

No comments:

Post a Comment