Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.
Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:
grep pbot bot.php
Alright let’s proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I’m using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4, some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep –version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep –help for more information.
Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command:
grep -Rn “shell_exec *( ” /var/www
In the image above, we can see that it displays the path of the vulnerable script and the line of the function.
Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website.
Again, we can use these functions for searching possible vulnerable scripts in our web server:
grep -Rn “include *(” /var/www
grep -Rn “require *(” /var/www
grep -Rn “include_once *(” /var/www
grep -Rn “require_once *(” /var/www
There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions
Grepping for Backdoor Shells and other Malicious Files
Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can’t escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:
<?php function KJnPCP($XZK)
$XZK[$i] = chr(ord($XZK[$i])-1);
Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:
Thus you could also easliy grep these functions:
grep -Rn “shell_exec *(” /var/www
grep -Rn “base64_decode *(” /var/www
grep -Rn “phpinfo *(” /var/www
grep -Rn “system *(” /var/www
grep -Rn “php_uname *(” /var/www
grep -Rn “chmod *(” /var/www
grep -Rn “fopen *(” /var/www
grep -Rn “fclose *(” /var/www
grep -Rn “readfile *(” /var/www
grep -Rn “edoced_46esab *(” /var/www
grep -Rn “eval *(” /var/www
grep -Rn “passthru *(” /var/www
In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.
Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.
What you saw from the image above is a sample of a pBot which is a PHP IRC bot used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.
We can also list all these common functions by using this command in your terminal:
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(” /var/www
Cross Posted from ROOTCON Blog