WordPress is by far the most popular CMS (Content Management System). This popularity is due in particular to the great personalization offered by themes and extensions. This customization is also a door open for backdoors .
What is a Backdoor?
Backdoors are pieces of code or mechanisms specifically designed to provide a subsequent access point to a site (or system). When malicious code is executed on a system, it can indeed open “doors” to facilitate access to the hacker and thus bypass the usual authentication. These “doors” open can be very different depending on the system or site targeted:
- It can be the opening of network ports on a server, to connect to it later.
- This may be authorised access only through a specific link.
- It can be a backdoor shell offering a variety of tools to take control of a remote machine.
- It can be a default password providing given privileges.
- It can be a hidden decryption key to decrypt normally confidential communications.
In the case of a WordPress backdoor hack, it is, possible for an attacker to log in as an administrator but also to edit/delete/add articles on the fly, and remotely of course.
What is a PHP web shell?💀
A web shell can be written in any language supported by the target web server. The most usually observed web shells are written in widely supported languages, such as PHP and ASP. Perl, Python, Ruby, and Unix shell scripts are also used.
A web–shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack. – [us-cert.gov alerts TA15-314A]
Using network discovery tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities may exist in content management systems (CMS) or Web server software.
Once the download is successful, an opponent can use the web shell to exploit other operating techniques to scale privileges and issue commands remotely. These commands are directly related to the privileges and features available on the Web server and may include the ability to add, execute, and delete files, also has the ability to execute shell commands, additional executables, or scripts.
How Web Shell Exploits Are Used By Attackers?
Web shells are frequently used in trade offs because of the combination of remote access and features. Even simple web hulls can have a huge impact and often maintain a minimal presence.
To Gain Persistent Remote Access To Control Server
A web shell exploit usually contains a backdoor that allows an attacker to remotely access and possibly control a server at any time. This would prevent the attacker from having to exploit a vulnerability whenever access to the compromised server is required.
An attacker can also choose to repair the vulnerability themselves, to ensure that no one else exploits this vulnerability. In this way, the attacker can keep a low profile and avoid any interaction with an administrator, while obtaining the same result.
It should also be noted that many popular Web shells use password authentication and other techniques to ensure that only the attacker downloading the web shell has access to it. These techniques include locking the script on a custom HTTP header, specific IP addresses, specific cookie values, or a combination of these techniques.
Most web shells also contain code to identify and prevent search engines from listing the shell and, therefore, blacklisting the domain or server hosting the web application.
To Execute Privilege Escalation
Unless a server is misconfigured, the web shell will run under the Web server’s user permissions, which are (or at least should be) limited. Using a web shell, an attacker can attempt to perform elevation of privilege attacks by exploiting local system vulnerabilities to assume root privileges, which under Linux and other UNIX-based operating systems is the “superuser”.
With access to the root account, the attacker can essentially do everything on the system, including, changing permissions, installing software, adding and removing users, stealing passwords, reading e-mails, etc.
Useful Resource: Getting shell after admin access in WordPress site
To Setup Zombie Botnet For DDOS attacks
Another use of Web-Shells is to integrate servers into a botnet. A botnet is a network of arbitrated systems that an attacker would control, either to use oneself or to be rented to other criminals. The web shell or backdoor is connected to a command and control (C & C) server from which it can take commands on the instructions to be executed.
This configuration is commonly used in distributed denial of service (DDoS) attacks, which require significant bandwidth. In this case, the attacker has no interest in harming or stealing anything from the system on which the web shell was deployed. Instead, they will simply use their resources whenever necessary.
Although a web shell is not normally used for denial of service (DoS) attacks, it can serve as a platform for downloading other tools, including the DoS feature.
Common Tactics Used to Execute Web Shell PHP Exploit
Web shells can be delivered through a number of Web application exploits or configuration weaknesses, including:
- SQL injection;
- Intersite script;
- WordPress vulnerabilities in applications/services;
- WordPress file processing vulnerabilities (for example, download filtering or assigned permissions);
- WordPress vulnerabilities included files (RFI) and local files included (LFI);
- Exposed administration interfaces (possible areas to find the vulnerabilities mentioned above).
The tactics above can be combined regularly. For example, an exposed administration interface also requires a file download option, or another method of explanation mentioned above, for successful distribution.
Web Shell Examples
The opponents frequently choose web shells such as China Chopper, WSO, C99 and B374K. However, this is only a small number of Web shells used.
- China Chopper – A small web shell with features. Has several command and control features, including brute force capability by password.
- WSO – means “Web Shell by orb” and can pose as an error page containing a hidden login form.
- C99 – A WSO shell version with additional features. Can display server security measures and contains a self-deletion feature.
- B374K – A PHP-based web shell with common features such as process visualisation and command execution.
Find complete list of web shell here at github. https://github.com/Wphackedhelp/php-webshells
Collection of PHP backdoor Web shells. https://github.com/Wphackedhelp/PHP-backdoors
What is “special” about WSO?
WSO is a favorite hacker web shell because of its particularly powerful features.
- Password protection
- Server information disclosure
- File management features such as downloading, downloading or editing files, creating directories, browsing directories and searching for text in files
- Command Line Console
- Database Administration
- Running PHP code
- Encoding and decoding of text input
- Brute force attacks against FTP or database servers
- Installing a Perl script to act as a more direct backdoor on the server
Once installed on a Web site, web hulls are notoriously difficult to remove, largely because hackers often place multiple copies of a web shell on one site in an attempt to retain access even if some of their programs malicious ones are removed.
A web shell is a type of malicious file that is uploaded to a web server. Potential infection methods include SQL injection or the inclusion of remote files through vulnerable Web applications. Web shells typically contain a Remote Access Tool (RAT), or backdoor functionality, which allows attackers to retrieve information about the infected host and forward commands to the primary server through HTTP requests.
This module uses unauthenticated versions of the “STUNSHELL” web shell. This module works when safe mode is disabled on the Web server. This shell is widely used in automated RFI payloads.
exploit / multi / http / stunshell_exec
References: OSVDB -91842
Snapshot of a PHP Web Shell with following Capabilities : [Source – secured.org a-php-web-shell-sold-in-dark-forums]
- – Authorisation for the cookies.
- – Encryption shell of your password immediately upon downloading.
- – File manager
- group deleting, moving, copying, jump, and download files and directories.
- rename and create files and directories.
- edit, view, change file attributes.
- search for files and directories, text files.
How to find a Web shell PHP backdoor on server?
To get access of your Web server, hackers sometimes installs a backdoor (PHP web Shell) designed to allow them to find the same entry after you have cleaned the site, fixed the security hole which allowed the hack and also to circumvent the measures to lock future hacker attempts that you could put in place to improve the security of the site.
A backdoor script can be called from a browser just like any other web page. It gives its user a web interface where the hacker can upload, upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and place system commands through the operating system.
Backdoors can be hard to find because they are usually hidden in files that are already part of the site or downloaded as new files with innocent names, most often placed in a directory with many files.
Also Read – eval base64_decode Php Hack in WordPress
Ways To Detect Web Shell Exploits
There are a couple of ways of doing Web Shell Detection.
One approach is to have an automated system look at the contents of newly uploaded or changed files and see if they match a known web shell, just as antivirus software does with other forms of malware. You can use WordPress Scanner available here.
Another way is to use pattern matching to look for code fragments (down to the level of individual function calls) that are commonly malicious, such as calls out to the system to manipulate files or open connections.
Web Shell Detection by searching files with grep or findstr commands
Backdoors scripts often need to use non-legitimate PHP commands, so you can look for these commands in the files on your server. There are search programs that you can use to search for text in files. The two described below are the ones you run from a command line (prompt), and therefore without a GUI.
Tips To Prevent Web Shell Upload Vulnerabilities in PHP
To prevent web shell upload vulnerabilities, search your application code for calls to move_uploaded_files() and strengthen each piece of code that uses that function. I recommend creating a spreadsheet that enumerates all code that can be used to upload files in the application to keep track of the application hardening process.
The following defences can be used to defend against web shell upload vulnerabilities:
- require authentication to upload files
- store uploaded files in a location not accessible from the web
- don’t eval or include uploaded data
- scramble uploaded file names and extensions,
- define valid types of files that the users should be allowed to upload.
- Installing a web shell is typically done through web application vulnerabilities or configuration weaknesses. Therefore, identifying and closing these vulnerabilities is crucial to avoid potential trade-offs. The following suggestions specify good security and web shell-specific practices:
- Use regular updates to applications and the host operating system to protect against known vulnerabilities.
- Reduce opponents’ ability to elevate their privileges.
- Control the creation and execution of files in particular directories.
- Use a reverse proxy or alternative service, such as mod_security, to limit the URL paths accessible to known legitimate addresses.
- Establish and save offline a “good” version of the affected server and a regular change management policy to monitor changes to server content .
- Use user input validation to limit local and remote file inclusion vulnerabilities.
- Perform regular vulnerability scans of systems and applications to determine areas of risk.
- Deploy a firewall for a web application and perform regular virus signature checks
Note: – Manual removal requires high skills as it is really difficult and risky process. If you are not aware of where its malicious files are really hiding, it is mandatory for you to make use of this powerful automatic website scanner, WP Hacked Help as it will make it easier for you to save your time and hassle.
We sincerely recommend you to use WP Hacked Help to secure your WordPress site quickly.