Demystifying a Backdoor Shell

20.9.11 Posted by: ROOTCON

Last July 29, 2011, I was able to give a talk about Backdoor Shells and IRC (Internet Relay Chat) Bots in Techbar Cebu for the Cebu Linux Users Group (CEGNULUG) Talk.  In the said talk I explained and showed what a backdoor shell is and how it can be a chronic threat to all websites. I also showed how to run an IRC Bot using the backdoor shell I have. The purpose of my topic was to promote security awareness and to give idea about the backdoor shell’s hidden danger.

So what is a backdoor shell? A backdoor shell is a piece of code in PHP, ASP, JSP, etc. which can be uploaded to a site to gain access to files stored on the website. Once it is uploaded, the cracker could use it to edit, delete, and download any files on the website, or could even upload their own.

Now, there are many ways of how a site gets backdoored, it could be due to website vulnerability attacks or exploits like SQLI (Structured Query Language Injection), RFI (Remote File Inclusion), LFI (Local File Inclusion), FTP (File Transfer Protocol) Bruteforce Attacks, Sniffing, XSS (Cross Site Scripting), etc. There are many to mention but these are the most common attacks.

PHP Backdoor shells are the most used backdoor shells because most of the websites are coded in PHP. These kind of backdoor shells are like terminal emulators wherein you can execute UNIX and bash commands which allow crackers and defacers to manipulate the server or the operating system your website is currently hosted.

So how risky could it be? Well first of all, your site could get defaced on the index page which is really shameful or the cracker could use the website as a scam page or a phishing site. Shells could also be used to gain the root access of the site if it’s a Linux server. Crackers could also use your site for spamming and for hosting their botnets. Crackers could spread the backdoor shell across your files for backup purposes. And worst of all, the site could then be used to host their denial-of-service (DoS) or distributed denial-of-service attack (DDoS) shells (ex. host booter).

According to Zone-H, they archived 1,419,203 defaced web­sites. Linux became the most used OS for web servers and of course the pre­ferred target for the defacers. Why? Because of certain benefits and many things a defacer or a cracker could play around like putting a backdoor shell on it. 

What Zone-H archived only accounts to those defaced websites that were submitted to them by defacers, thus there are still unaccounted websites out there which are not leaked just for the cracker or defacer’s compensation. We just could not deny the fact that there are still websites out there wherein the administrator is not aware of such cyber espionage.

Now the question is, “Is your website one of those unaccounted websites with backdoors?”

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.