Jun 132011
 

As system administrators, we often need to search for potential backdoors or shells in web sites for servers we manage.  Its not something we want to happen, but need to do especially if we are supporting legacy code; have gotten behind on patches or updates; or a new exploit slipped through the cracks due to its popularity and how quickly it spread.

I wrote a quick bash script based on a php version I found here.

Here is the short script:

<pre>#!/bin/bash
# findshell.sh script by ed wiget
# used to find potential backdoors or shells in website code
echo -e "This script only searches for common names used in scripts.\n\n"
echo "An alert of a shell found simply needs further review as poor coding"
echo "practices often use the same functions"
sleep 10
echo "What is the path to the sites directory?"
echo "i.e. If sites are /var/www......."
echo "enter /var/www to search all sites or enter"
echo "/var/www/sitename.com to only search sitename.com"
read SPATH
echo -e "searching for common functions and names..........please wait\n\n"
# grep R=recursive; P=perl expression matching; l=only show files that match
# --include only these file extensions
# the perl expression can be extended by adding more words
# the grep -Pv excluded common wordpress class files that always give false positives
# you could also add domains: gooqle|beladen|martuz|gumblar
# added the strings from http://www.infosecisland.com/blogview/19648-System-Compromise-What-the-Heck-is-a-FeeLCoMz-String.html
# grep -RPl --include=*.{php,txt,asp,htaccess,html,aspx,inc,cfm,js,css} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|c99|r57|web*shell|edoced|46esab|hacked|analist|anaiytics|FaTaLz|KinCay|CreWz|TeaM|CoMMunity|AnoNyMous|Music|ProGraMMeR|CyBeRz|mIRC|CoMz|FeeLCoMz|‘\x63\x72\x65\x61\x74\x65\x5f\x66′) *\(" ${SPATH} | grep -Pv class-"(snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php"
 
# this will output shells to a file without line numbers suitable for compiling a list, one file per line
#grep -RPl --include=*.{php,txt,asp,htaccess,html,aspx,inc,cfm,js,css} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|c99|r57|web*shell|edoced|46esab|hacked|analist|anaiytics|SnIpEr_SA|Bhlynx|x2300|c99shell|r57shell|milw0rm|g00nshell|w4ck1ng|PHP-Proxy|Locus7s|ccteam|crazy.pl|tryag|myshell|msshell|phpshell|vbspy|JaheeM|mpownz|ManTiLa|indoirc.net|NOGROD|Bhlynx|rfiScan|x2300|Bigdoz|Indoserv|Faskalis|Indohacker|pLuR|HacKed|AnakDompu|cHApoenk|Shellbot|r3v3ng4ns|MaXiMiZeR|n3oom3|rohitab|w4ck1ng|PHP-Proxy|Locus7s|cgitelnet.pl|ccteam|UNITX_TEAM|soqor|SpIdEr|dark.cgi) *\(" ${SPATH} | grep -Pv class-"(snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php"
# this will output the found shells for ${PATH} with line numbers and code highlighted to term removing most wordpress files
# grep -RnP --include=*.{php,txt,asp,htaccess,html,aspx,inc,cfm,js,css} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|c99|r57|web*shell|edoced|46esab|hacked|analist|anaiytics|SnIpEr_SA|Bhlynx|x2300|c99shell|r57shell|milw0rm|g00nshell|w4ck1ng|PHP-Proxy|Locus7s|ccteam|crazy.pl|tryag|myshell|msshell|phpshell|vbspy|JaheeM|mpownz|ManTiLa|indoirc.net|NOGROD|Bhlynx|rfiScan|x2300|Bigdoz|Indoserv|Faskalis|Indohacker|pLuR|HacKed|AnakDompu|cHApoenk|Shellbot|r3v3ng4ns|MaXiMiZeR|n3oom3|rohitab|w4ck1ng|PHP-Proxy|Locus7s|cgitelnet.pl|ccteam|UNITX_TEAM|soqor|SpIdEr|dark.cgi) *\(" ${SPATH} | grep -Pv class-"(snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php"
# longer list with line numbers and highlighting to a file
grep -RnP --include=*.{php,txt,asp,htaccess,html,aspx,inc,cfm,js,css} "(passthru|shell_exec|system|phpinfo|base64_decode|decode|iframe|chmod|mkdir|fopen|fclose|readfile|script|c99|r57|web*shell|edoced|46esab|hacked|analist|anaiytics|SnIpEr_SA|Bhlynx|x2300|c99shell|r57shell|milw0rm|g00nshell|w4ck1ng|PHP-Proxy|Locus7s|ccteam|crazy.pl|tryag|myshell|msshell|phpshell|vbspy|JaheeM|mpownz|ManTiLa|indoirc.net|NOGROD|Bhlynx|rfiScan|x2300|Bigdoz|Indoserv|Faskalis|Indohacker|pLuR|HacKed|AnakDompu|cHApoenk|Shellbot|r3v3ng4ns|MaXiMiZeR|n3oom3|rohitab|w4ck1ng|PHP-Proxy|Locus7s|cgitelnet.pl|ccteam|UNITX_TEAM|soqor|SpIdEr|dark.cgi) *\(" ${PATH} > /root/eds-review.txt
echo -e "\n\ndone\n\n"</pre>

How To Use

Basically, save the script somewhere locally on your system as findshell.sh and change its permissions to be executable, chmod +x /path/to/findshell.sh

I have a longer version that pipes the output to a file and then emails it, but you could also do something like this:

./findshell.sh > findshell_log-`date %Y%m%d`.txt

For the list of files returned, they should be reviewed for potential backdoors.  There may be many files returned, as some of the functions are commonly used by coders in every day application.  So, that means, just because a file is identified does not mean its an actual backdoor or shell.  It just means it should be reviewed.  Once you review the code, you could then add that particular file name to the exclusion list (the grep -Pv part).  DO NOT REMOVE THE FUNCTION NAME as that defeats the purpose of the script.

Run the script again to make sure the file is removed on the second search.  Rinse…..Repeat.

Updated 2012-02-03: Added recommendations for strings to search from InfoSecIsland

Updated 2012-03-02: Added recommendations for strings to search from blog.sucuri.net

Updated 2012-07-11: Added more strings to search for