Call us:    +44 (0) 207 0439 349        Company      Contact us

How to find PHP shells

Posted by on Nov 23, 2014 in Security BlogNo comments

We often get tasked with forensic investigations on compromised Linux web servers.

Here are a few basic tasks/commands you can perform to help with the start of investigations:

1) Audit log files / web and system logs to see if you can establish how the hack happened.
2) ls -la check for new files / hidden files / modified files in the web directories. Compare the web contents with a backup copy / clean copy of the install.
3) Check for common shell scripts using the command:
grep ‘((eval.*(base64_decode|gzinflate))|\$[0O]{4,}|(\\x[0-9a-fA-F]{2}){8,}|cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|revengans|myshellexec|FilesMan|JGF1dGhfc|document\.write\(“\\u00|sh(3(ll|11)))’ /path/to/web/ -roE –include=*.php*

replacing /path/to/web with your web directory path

4) Once you find the shell script, find all instance of them with commands like this:

find / -type f -size SIZEc -exec ls -al {} \;

Replace SIZE with the file size in bytes of the backdoor

5) Find all hidden directories created on the server.

find /path/to/webdirectory -type d -iname “.[^.]*”

6) Restore clean copy of website from backup / perform all software updates on system/webapp.
7) Change all passwords, MySQL, SSH, FTP, Plugin passwords, CMS accounts etc.
8) Check web permissions, advisable 0644 on files, and 0750 on directories.
9) Setup a basic HIDS (Host Intrusion Detection System) to monitor the web app directory changes, something like Tripwire would do.
10) Harden PHP, read here: http://www.madirish.net/199

Registered Memberships and Partners:

OWASP - Open Web Applications Security Project
ISSA UK - Information Systems Security Association UK
NIST - Computer Security Division of NIST
UKITA - UK Information Technology Association
ISF - Information Security Forum
ISACA - Information Security Audit & Control Association

  • Latest Tweets

    • Britain's security has been threatened by 188 high-level cyber attacks in the last three months, according to a government security chief.

    • Libraries across the city of St Louis are gradually regaining control of their computer systems, following a malware attack on 17 Libraries.

This website uses cookies to improve user experience. By using our website you consent to all cookies issued by this website.
I agree Disagree