BackdoorMan, automatic detection of malicious PHP script and shells
Your site has been hacked? Be careful, it might contain a backdoor!
BackdoorMan is a python script useful to discover malicious scripts in PHP sites: is quite common for attackers to place a back-door on a site they have violated in order to mantain access even if the site owners change account passwords.
Back-door scripts will vary from 100s of lines of code to 1 or 2 lines of code and can be merged in hundreds of files which makes it very hard to discover it, especially if the back-door is inactive. There is common ways and tools that can be used including grep, but BackdoorMan automates all the above as described earlier and make it even more easier (at least I hope so).
- Shells detect by filename using shells signature database.
- Recognition of web back-doors.
- Detect the use of suspicious PHP functions and activities.
- Use of external services beside its functionalities.
- Use of nimbusec shellray API (free online webshell detect for PHP files https://shellray.com).
– Very high recognition performance for webshells.
– Check suspicious PHP files online.
– Easy, fast and reliable.
– Classification for webshells with behavior classification.
– Free service of nimbusec.
- Use of VirusTotal Public API (free online service that analyzes files and facilitates the quick detection of viruses, worms, trojans and all kinds of malware), it can be useful in our situation.
- Use of UnPHP (The online PHP decoder: UnPHP is a free service for analyzing obfuscated and malicious PHP code) www.unphp.net.
Very useful in our situation.
– Eval + gzinflate + Base64.
– Recursive De-Obfuscating.
– Custom Function and Regex Support.