20 May, 2024
How PHP Backdoors Can Compromise Your Website Security
Learn more as we explore what PHP backdoors are, how they can compromise your website security, and how you can help prevent them.
PHP is one of the most commonly used scripting languages for server-side code. This makes it a prime candidate for attackers seeking to exploit a website's vulnerabilities. Attackers use malicious scripts called PHP backdoors that allow them to gain unauthorized access to a website. From there, they can carry out several malicious activities, ranging from data theft and website defacement to using the server for cryptocurrency mining or other nefarious computing tasks.
These backdoors often utilize obfuscation techniques to make the already complex code that much harder to read. This can also make it difficult for cybersecurity experts to detect and remove the code. Thankfully, there are some common functions to be on the lookout for. We'll explore them in this article.
These backdoors often utilize obfuscation techniques to make the already complex code that much harder to read. This can also make it difficult for cybersecurity experts to detect and remove the code. Thankfully, there are some common functions to be on the lookout for. We'll explore them in this article.
Common Functions Used in PHP Backdoors
There is quite an extensive collection of PHP functions that can be used to execute backdoors. Learning what these functions are will help guide developers to the areas of a file that might be doing something it shouldn't be. To help you understand what these are and what they do, we've broken them down by category.
Filesystem Functions
There are two sets of filesystem functions an attacker might use to create an exploit. The first set involves opening and manipulating files. These functions also allow the attacker to read, write, or execute files they shouldn't have access to.
● fopen: Opens a file for reading or writing.
● tmpfile: Creates a temporary file with a unique name.
● bzopen: Opens a bzip2-compressed file for reading or writing.
● gzopen: Opens a gzip-compressed file for reading or writing.
● SplFileObject->__construct: Constructs a new file object for a file.
On the other hand, this next set of functions allows attackers to change file permissions, and move or delete files. These functions can also open access to people who shouldn't have it or remove access from those who should.
● chgrp: Changes the group ownership of a file.
● chmod: Changes the file mode (permissions).
● chown: Changes the owner of a file.
● copy: Copies a file to a new location.
● file_put_contents: Writes data to a file, creating it if it doesn't exist.
● lchgrp: Changes group ownership of a symlink.
● lchown: Changes the owner of a symlink.
● link: Creates a hard link to a file.
● mkdir: Creates a directory.
● move_uploaded_file: Moves an uploaded file to a new location, securely.
● rename: Renames or moves a file or directory.
● rmdir: Removes a directory.
● symlink: Creates a symbolic link to a file.
● tempnam: Creates a file with a unique name in a specified directory.
● touch: Sets access and modification time of a file, creating it if it doesn't exist.
● unlink: Deletes a file.
Command Execution Functions
PHP code sometimes needs to access shell commands, allowing it to run any program on the system that it has permission to run. When used in the wrong hands, the functions that allow for that give attackers much greater control over the server.
● exec: Executes a command.
● passthru: Executes a command and directly outputs the result.
● system: Executes a command and outputs the result, returning the last line.
● shell_exec: Executes a command, returning the full output as a string.
● popen: Opens a process or command for reading or writing.
● proc_open: Executes a command and opens file pointers for input/output.
● pcntl_exec: Replaces the current PHP process with a new process.
PHP Code Execution
In addition to running shell commands, there are functions for running code in other PHP files. The eval function, in particular, is very risky as it directly runs any string argument as PHP code.
● require: Includes and evaluates a specified file and errors out if the file doesn't exist.
● include: Includes and evaluates a specified file and gives a warning if the file doesn't exist.
● require_once: Same as require, but only evaluates the file once.
● Include_once: Same as include, but only evaluates the file once.
● create_function: Creates a lambda-style function (deprecated in PHP 7.2.0).
● eval: Executes a string as PHP code.
● assert: Checks if a given condition is true, raising a warning or error if it isn't.
Callback Functions
A callback function runs in response to something. If an attacker can change the callback argument, they can run a different function than the developers intended.
● register_shutdown_function: Registers a callback for when script execution ends or exit() is called.
● set_error_handler: Registers a callback for when an error occurs.
● set_exception_handler: Registers a callback for when an uncaught exception occurs.
● call_user_func_array: Calls a user-defined function with an array of parameters.
Information Disclosure
This section includes only one function, phpinfo. This function is a goldmine for potential attackers. It details information about the PHP environment as well as the server itself, providing the attacker with insights that can help them compromise website security.
Filesystem Functions
There are two sets of filesystem functions an attacker might use to create an exploit. The first set involves opening and manipulating files. These functions also allow the attacker to read, write, or execute files they shouldn't have access to.
● fopen: Opens a file for reading or writing.
● tmpfile: Creates a temporary file with a unique name.
● bzopen: Opens a bzip2-compressed file for reading or writing.
● gzopen: Opens a gzip-compressed file for reading or writing.
● SplFileObject->__construct: Constructs a new file object for a file.
On the other hand, this next set of functions allows attackers to change file permissions, and move or delete files. These functions can also open access to people who shouldn't have it or remove access from those who should.
● chgrp: Changes the group ownership of a file.
● chmod: Changes the file mode (permissions).
● chown: Changes the owner of a file.
● copy: Copies a file to a new location.
● file_put_contents: Writes data to a file, creating it if it doesn't exist.
● lchgrp: Changes group ownership of a symlink.
● lchown: Changes the owner of a symlink.
● link: Creates a hard link to a file.
● mkdir: Creates a directory.
● move_uploaded_file: Moves an uploaded file to a new location, securely.
● rename: Renames or moves a file or directory.
● rmdir: Removes a directory.
● symlink: Creates a symbolic link to a file.
● tempnam: Creates a file with a unique name in a specified directory.
● touch: Sets access and modification time of a file, creating it if it doesn't exist.
● unlink: Deletes a file.
Command Execution Functions
PHP code sometimes needs to access shell commands, allowing it to run any program on the system that it has permission to run. When used in the wrong hands, the functions that allow for that give attackers much greater control over the server.
● exec: Executes a command.
● passthru: Executes a command and directly outputs the result.
● system: Executes a command and outputs the result, returning the last line.
● shell_exec: Executes a command, returning the full output as a string.
● popen: Opens a process or command for reading or writing.
● proc_open: Executes a command and opens file pointers for input/output.
● pcntl_exec: Replaces the current PHP process with a new process.
PHP Code Execution
In addition to running shell commands, there are functions for running code in other PHP files. The eval function, in particular, is very risky as it directly runs any string argument as PHP code.
● require: Includes and evaluates a specified file and errors out if the file doesn't exist.
● include: Includes and evaluates a specified file and gives a warning if the file doesn't exist.
● require_once: Same as require, but only evaluates the file once.
● Include_once: Same as include, but only evaluates the file once.
● create_function: Creates a lambda-style function (deprecated in PHP 7.2.0).
● eval: Executes a string as PHP code.
● assert: Checks if a given condition is true, raising a warning or error if it isn't.
Callback Functions
A callback function runs in response to something. If an attacker can change the callback argument, they can run a different function than the developers intended.
● register_shutdown_function: Registers a callback for when script execution ends or exit() is called.
● set_error_handler: Registers a callback for when an error occurs.
● set_exception_handler: Registers a callback for when an uncaught exception occurs.
● call_user_func_array: Calls a user-defined function with an array of parameters.
Information Disclosure
This section includes only one function, phpinfo. This function is a goldmine for potential attackers. It details information about the PHP environment as well as the server itself, providing the attacker with insights that can help them compromise website security.
Mitigation and Detection
In addition to being aware of the functions used to create PHP backdoors, there are some basic security steps you can take to help mitigate the chances of a cybersecurity attack impacting your website.
● Stay Updated: Keeping PHP as well as other software up to date ensures that known vulnerabilities are patched.
● Use Strong Passwords: Change any default passwords to something strong and unique.
● Validate Input: All user input should be validated and sanitized to prevent injection attacks.
● Restrict Uploads: Limit who can upload to the site as well as ensure that uploaded files are not executable.
● Set Permissions: Use appropriate file permissions and avoid using permissions like 777.
● Use Security Tools: Web applications firewalls (WAF) as well as malware scanners can detect and block malicious activities.
Detecting PHP backdoors also involves searching for obfuscated code, unexpected file changes, and known malicious patterns within the website's files and database. To make this easier, some tools and services specialize in website security. They can assist in eliminating malicious code by scanning for known malware signatures and anomalies.
● Stay Updated: Keeping PHP as well as other software up to date ensures that known vulnerabilities are patched.
● Use Strong Passwords: Change any default passwords to something strong and unique.
● Validate Input: All user input should be validated and sanitized to prevent injection attacks.
● Restrict Uploads: Limit who can upload to the site as well as ensure that uploaded files are not executable.
● Set Permissions: Use appropriate file permissions and avoid using permissions like 777.
● Use Security Tools: Web applications firewalls (WAF) as well as malware scanners can detect and block malicious activities.
Detecting PHP backdoors also involves searching for obfuscated code, unexpected file changes, and known malicious patterns within the website's files and database. To make this easier, some tools and services specialize in website security. They can assist in eliminating malicious code by scanning for known malware signatures and anomalies.
How ThreatSign! Can Help
ThreatSign! is a comprehensive website security solution. It employs several methods to detect PHP backdoors and keep your website safe:
Through these techniques, ThreatSign! can flag any suspicious behavior as a potential threat, allowing your security team to address the issue before it becomes a larger problem. Sign up today!
- Malicious Code Detection: A signature-based approach identifies known backdoor code snippets from a continuously updated database of threats
- Heuristic Analysis: ThreatSign! Looks for commonly used malware techniques, such as functions that enable remote file inclusion, obfuscation techniques, or hidden code execution.
- Behavioral Monitoring: Activity from the website is also monitored for signs of backdoor activity. File access patterns, outgoing network connections, as well as unauthorized file modifications are monitored for suspicious activity.
- Sandboxing: Sandboxing allows ThreatSign! to execute untrusted code in a safe environment. This allows it to analyze the code for malicious behavior where it can't harm the live website.
Through these techniques, ThreatSign! can flag any suspicious behavior as a potential threat, allowing your security team to address the issue before it becomes a larger problem. Sign up today!