Over the course of examining hundreds if not thousands of phishing sites I’ve learned that the vast majority of phishing sites are created by compromising legitimate web sites through vulnerabilities of one type or another. Most often the vulnerabilities are web applications which don’t properly check that user content is really just user content. For example, instead of uploading their avatar image to an online forum like ZeroBoard, hackers upload malicious files which they can then run on the server giving them access to the system. The application does a poor job (if any) of checking that the picture file is only a picture file.
The most often uploaded malicious files are PHP shells. A PHP shell is a PHP program which provides a hacker with access to the web server as well as many tools and features:
- Find, Edit, Rename, Download Files
- Point-and-click Directory and File Navigator
- Shell Command Execution
- PHP Statement Evaluation
- Find Vulnerable Files and Directories
- Upload / Download files from FTP Servers
- Dump MySQL Databases
- Create a proxy server
- Create a back-connect shell
- Encode / Decode Base64, URL escape encoding, etc.
- Show running processes, system name, kernel version, IP addresses, etc.
- Show PHP configuration (php.ini), safe-mode, register globals, etc.
- FTP brute-force password cracker
- Emailer (spammer)
- Self-update and self-remove
The most common PHP shells are the C99 shell from the Captain Crunch Security Team and the r57 shell from the Rush Security Team / GHC. However, some PHP shells are simple one-box forms used to enter a command which will be executed on the server.
The results are a bit disheartening, but there are some caveats worth mentioning:
Not all vendors have a Linux based product. Almost always (but not quite), the compromised system which has a PHP shell installed on it is running a version of Linux. So it’s perfectly reasonable not to detect files that generally are only used on an operating system on which your product doesn’t run.
Some anti-virus products are geared as gateway products and not file scanners. That means, that some anti-virus products might detect the HTML generated by these backdoors, identify them as unwanted web applications, and block access to the PHP shell. That’s easy enough to test, but wasn’t tested here.
Some of the PHP programs could be considered dual-use applications – used for evil or for good. That argument is some what constrained by the fact that the tested files were all from compromised web sites and nearly all were made by hackers for hackers.
Another argument is that it’s more important to focus resources on catching desktop malware. I disagree. Server compromises often lead to more desktop malware, more end-user phishing, and more distribution of spam. If every web site on the Internet were secure, almost all of the badness we see every day on the Internet would go away.
So how about it anti-virus vendors! Time to start detecting PHP backdoors?