How to find PHP shells

We often get tasked with forensic investigations on compromised Linux web servers.

Here are a few basic tasks/commands you can perform to help with the start of investigations:

1) Audit log files / web and system logs to see if you can establish how the hack happened.
2) ls -la check for new files / hidden files / modified files in the web directories. Compare the web contents with a backup copy / clean copy of the install.
3) Check for common shell scripts using the command:
grep ‘((eval.*(base64_decode|gzinflate))|\$[0O]{4,}|(\\x[0-9a-fA-F]{2}){8,}|cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|revengans|myshellexec|FilesMan|JGF1dGhfc|document\.write\(“\\u00|sh(3(ll|11)))’ /path/to/web/ -roE –include=*.php*

replacing /path/to/web with your web directory path

4) Once you find the shell script, find all instance of them with commands like this:

find / -type f -size SIZEc -exec ls -al {} \;

Replace SIZE with the file size in bytes of the backdoor

5) Find all hidden directories created on the server.

find /path/to/webdirectory -type d -iname “.[^.]*”

6) Restore clean copy of website from backup / perform all software updates on system/webapp.
7) Change all passwords, MySQL, SSH, FTP, Plugin passwords, CMS accounts etc.
8) Check web permissions, advisable 0644 on files, and 0750 on directories.
9) Setup a basic HIDS (Host Intrusion Detection System) to monitor the web app directory changes, something like Tripwire would do.
10) Harden PHP, read here: