Find injected PHP code

When hackers and spammers decide they want to abuse your website and misuse it for their own benefit and they succeed on it – they often inject their own PHP code into your scripts.

This article does not cover answer to question how do they do it. Sorry.. (bad code, bad plugins, old security holes, bad luck), but I want to give you list of strings, that I’ve seen most of the time, so you can search for them and clean your website. Or ask us to do it.

How to search

  • option 1 – download all scripts to your computer and if local antivirus will let you do it – search through all of them, although you most likely will need to look through *.php files.
  • option 2 – do it on server through shell access.

Shell command to search for a string inside many files

We use combination of find and grep commands. The following example will search for any PHP file in current directory and try to find string “eval(” in them. In case string exists – you will see it in commands output.

find . -type f -name \*.php -exec grep -H "eval(" {} \;

Quite often output might be very large, therefore I normally redirect it to some file outside current folder for later inspection:

find . -type f -name \*.php -exec grep -H "eval(" {} \; > /root/bad_code.txt

List of bad strings

  • eval( – practically always hackers use eval() to execute their code. As arguments they normally provide encrypted string which might be very long.
  • istart – this often appears as start comment for the injected code, which might not even contain eval() string. Functions are in plain text, so you can inspect them and see what they were trying to do.. 🙂 If you find this token – search for iend in the same file – this indicates end of the injected code. Quite smart way, thank you guys!
  • @$_REQUEST – seen this several times in some leftover files. – this should be searched as “@\$_REQUEST” – as $ is a special symbol.
  • $_REQUEST[‘e41e’]
  • chr(112)
  • Search for chr(1, chr(2… and so (from 0 to 9), but carefully check results, since it will give many false results, but you might still catch some bad code injections.
  • 7a3cb9bdfa
  • $_POST[‘hc’]
  • filename script1.php
  • uggc
  • fujinari
  • FilesMan – usually this is beautiful PHP file manager, that lets hackers do anything.. 🙂
  • @copy( – met this piece of code along with upload form. These guys are trying to overcome widely met move_uploaded_file function.
  • “64_decode” – this is a nice try to split base64_decode function. usually seen as $qnfffim=“base” . “64_decode”;return $qnfffim($fxloy); (variable names might be different though). Nice try,guys!
  • eval/ – I love this one! full code snippet would be eval/*llnygdwzzi*/(iwdcxuhj($flumavwuxw, $filsk)); – basically they are just adding some comment in front of () brackets and use some mystic function inside.
  • extract($_COOKIE);
  • @preg_replace($_SERVER
  • New as of 13.june 2017: “;include
  • New as of 13.june 2017: “;if(isset
  • New as of 19.january 2018: “mail(stripsla
  • New as of 19.january 2018: “chr(97
  • New as of 19.january 2018: “php_off” (well, this can sometimes give false positive, too general, but so far I have seen only in injected files)

 

Other tricky way

In most cases, folders like images should not contain PHP files, but somehow people manage to upload scripts there and run their nasty code from there. Here is the simple shell command to find such scripts:

find . -type d -name images -exec find {} -name \*.php -ls \;


Find compromised processes

Often hackers and spammers upload script – start it and then delete, so you can’t find it. They often start process from the /tmp or other writeable folder. You can start catching them by looking at the output of the following command:

lsof -p | grep "deleted"

It will give you username and process ID. From here you can look at output of the following commands:

lsof -p | grep <PROCESS ID>
ps faxu | grep <PROCESS ID>

The last one is useful, if your server is configured to run PHP as FastCGI or FPM.

 

I will try to update this list regularly. Last update: 13.June.2017

 

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code