Mobile app version of vmapp.org
Login or Join
Jessie594

: Server has been infected with numerous backdoor Shell Scripts (php) how can I test those scripts functionality? So i have a handful of php backdoor shell exploits that I've recovered from a

@Jessie594

Posted in: #Php #Virus

So i have a handful of php backdoor shell exploits that I've recovered from a unupdated wordpress website. I found these traces in Feb 2018, they have been there since Nov 19 2017. Now I opened one of these php files and they are riddled full of backdoor type crap and have a bunch of base64 payloads, inside those payloas there are all sorts of things like backdoor shell, and scripts, etc, that mess up the server.

Wiping the server is unfortunetally out of the question. I have manually gone through one of the 7 php worm files and line by line done searches for things, for example, they make a directory called "Lulz" so i searched the server for that. There were probably 100 scripts all packed into one php file. I've included it for refrerence.

Backdoor PHP Shell I found on my Server (PHP Gist file)

Now I've run CXS and its found alot of stuff, I've used find and grep to look for anything else. I've checked MySQL for tables, I've reset my reseller password, etc, etc.

My Question is: How can I test these shell scripts out on my box to see what they can do? Should I go get a VM of Centos and spin up my own server locally in a VM and then try to load this script up on it and see what it does?

I wonder if these scripts are from ScriptKiddies or from Bots. I wonder how many of the functions / features / and things they actually used or did with them? Does anyone have any experience running these backdoor shells or dealing with them and can tell me how safe is Centos 7x running the latest Cpanel / Latest WHM / latest Apache / etc. How much of these scripts can actually make it through and execute in 2018 (when the scripts are mostly written in 2014). Are some / all / any of these vulnerabilities patched?

Just trying to figure out how crazy these scripts got and how far down the rabbit hole they went in my server.

Anyone who is a glorified php worm expert wants to do a little digging into that file and tell me if there is anything in there I need to check?

I see stuff like passwd and vhosts and etc etc. just trying to track down any extra locations. ClamAV / CXS/ ModSecurity were all installed "after" Feb 2018 so anything I found was after the fact, not during.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Jessie594

1 Comments

Sorted by latest first Latest Oldest Best

 

@Lee4591628

Unfortunately, having your server hacked with backdoor scripts can be so messy that it may not be as simple as deleting a few files to clean it all up. Servers can get infected with viruses just like PCs can. If your server is on Linux, it can get Linux viruses. Linux is more immune than Windows or Windows Servers in general, but they can still be infected.

You can try deleting all of the backdoor files, but you're still leaving yourself open to backdoor holes, and you may never find all of them. Even if it seems like the exploit has stopped, if there is a backdoor you can get exposed again 3 years down the line.

Windows Viruses can infect your registry keys and create so many difficult to find files that it can be nearly impossible to remove them all manually. I'm not as familiar with Linux but I imagine that it can be nearly the same thing as well there.

In order to fully remove a backdoor virus from Linux you're likely going to need access to the entire server and all of its storage. And you probably need to have to high level of expertise in Linux in order to remove any hidden bugs that have been planted.

I know that you said wiping your server clean and starting over is out of the question, but it's definitely the safest thing you can do.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme