Grep: Scanning for backdoor (en)
grep
And the last but not the least, we have the grep command which is a powerful command-line tool in Unix and Linux. It is used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix. Nowadays, Grep is known for detecting and searching for pesky backdoor shells and malicious scripts too.
Grep can also be used for detecting vulnerable scripts (e.g the PHP function shell_exec which is a risky PHP function that allows remote code execution or command execution). We can use the grep command to search for the shell_exec () function as our advantage in our /var/www directory to check for possible PHP files that are vulnerable to RCE or command injection. Here is the command:
grep -Rn "shell_exec *( " /var/www
Backdoor shells commonly use the shell_exec function for executing arbitrary commands. Aaside from shell_exec function, most PHP backdoor shells also use functions like base64_decode, eval, phpinfo, system, php_uname, chmod, fopen, fclose, readfile, edoced_46esab, and passthru.
Thus you could also easily grep these functions:
grep -Rn "shell_exec *(" /var/www
grep -Rn "base64_decode *(" /var/www
grep -Rn "phpinfo *(" /var/www
grep -Rn "system *(" /var/www
grep -Rn "php_uname *(" /var/www
grep -Rn "chmod *(" /var/www
grep -Rn "fopen *(" /var/www
grep -Rn "fclose *(" /var/www
grep -Rn "readfile *(" /var/www
grep -Rn "edoced_46esab *(" /var/www
grep -Rn "eval *(" /var/www
grep -Rn "passthru *(" /var/www
Most Perl IRC botnets use common Perl functions like shell, system, and tcp so we can actually grep these functions just like hunting or detecting PHP backdoor shells. Thus, if we want to scan our /var/www directory again then we could just issue the commands below:
grep -Rn "shell *(" /var/www
grep -Rn "tcp *(" /var/www
grep -Rn "system *(" /var/www
Grep is such a good tool for manual detection and forensic analysis :)