Finding PHP and WordPress Backdoors using antivirus and Indicator of Compromise

From time to time we do forensic investigations of WordPress breakins. When we do the investigation there is often one or more backdoors placed in the filesystem or modified legit WordPress-related files in wp-includes, themes or plugins.

This is not only related to WordPress but all sites running PHP such as Drupal, Magento etc.

Finding backdoors in the filesystem can be time consuming and doing checksum checking is not always possible. So I wanted to find out how good antivirus software are these days to find PHP and WordPress backdoors.

On my personal Gist Github I have collected more than 10 different backdoors found on real breakins and forensic investigations.

Test 1 – VirusTotal

The Google owned VirusTotal.com service allows you to upload suspected malware and find out how many different antivirus-engines detecting the malware. So I uploaded the 10 different backdoors and here is the result:

  • Backdoor 1 – Detected by AVware as BPX.Shell.PHP
  • Backdoor 2 – No detections
  • Backdoor 3 – Detected by GData as Script.Backdoor.Perger.A
  • Backdoor 4 – No detections
  • Backdoor 5 – No detections
  • Backdoor 6 – No detections
  • Backdoor 7 – Two detections Nod32 PHP/Agent.GA and Fortinet PHP/Agent.GA!tr
  • Backdoor 8 – DrWeb PHP.Mailer.26
  • Backdoor 9 – Bkav VUL26C0.Webshell
  • Malware 10 – 7 engines detected this file as malicious

Test 2 – Indicators of Compromise

Indicators of Compromise (IOC) are pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.There are several free tools and files with IOC signatures we can use. In this test we are using the Loki IOC scanner and yara.
Loki detects two of 10 files as suspicious:
And with yara and the signature-base package:
  • Backdoor 1 – Big_Numbers1
  • Backdoor 2 – webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1
  • Backdoor 5 – Big_Numbers1
  • Backdoor 6 –  WebShell_php_webshells_pws
  • Backdoor 7 –  Big_Numbers1
  • Backdoor 8 – network_smtp_raw
  • Backdoor 8 – possible_includes_base64_packed_functions
  • Backdoor 8 – with_images
  • Backdoor 8 – with_urls
  • Backdoor 8 – without_attachments
  • Backdoor 9 – Big_Numbers1
  • Backdoor 9 – php_uname
  • Backdoor 10 – function_through_object
  • Backdoor 10 – php_malfunctions
  • Backdoor 10 – php_uname
  • Backdoor 10 – possible_includes_base64_packed_functions

Wow. That looks good, but what about false positives? By looking at the alerts there should be lots of files triggering in the WordPress-core as example. When I did a scan on a plain WordPress installation with yara I’ve got 48 alerts and 0 with Loki.

Test 3 – Findbot

Findbot.pl is a simple Perl-script to find suspicious web files such as PHP-shells and backdoors. It was created in 2013 by CBL (Abuseat.org / Spamhaus).

The result from findbot is the following:

  • Backdoor 1 –  Suspicious(base64_decode): serialize(base64_decode(substr($o
  • Backdoor 6 –  Suspicious(passthru): passthru($cmd);
  • Backdoor 7 –  Suspicious(fsockopen): n_exists(‘fsockopen’)) {
  • Backdoor 8 –  Suspicious(fsockopen): g back to fsockopen”,
  • Backdoor 10 – Suspicious(base64_decode): echo exe(base64_decode($_GP[‘cmd

And when it comes to false positives using findbot it finds 19 suspicious indicators in a plain WordPress installation.

Test 4 – ClamAV antivirus

Clam AntiVirus (ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including PHP-shells, backdoors and viruses. In the past i’ve seen detections with clamav.

But this time there was zero detections:

Conclusions

Using yara, findbot and Loki may yield a lot of false positives and generates a lot of manual work. But when it comes to finding backdoors it is worth the time. I would recommend using the above tools together with classic forensic work such as looking at timestamps, accessed files in webserver logs, post-data and checksums.

As always, don’t forget to scan your WordPress site using WPSec.com.

Test files can be downloaded here (password: malware):

More backdoors can be found here: https://gist.github.com/jonaslejon

https://gist.github.com/jonaslejon

https://gist.github.com/jonaslejon

https://gist.github.com/jonaslejon

6 thoughts on “Finding PHP and WordPress Backdoors using antivirus and Indicator of Compromise”

  1. Correct. There remains no single method of identifying malware within a website. Human eyeballs are still required. This is why the scanners used by web host and some automated malware cleanup companies are at best partial solutions to full cleaning and securing a hacked website.

    Can’t tell you how many times this past year I’ve been drawn into reviewing the work done by automated malware cleanup services only to find the sites harboring “eyeball” obvious back door and malicious files.

  2. Jawira Portugal

    I had more success with ClamAV since I added PHP malware signatures, I downloaded these from https://malware.expert/signatures/ (I am not affiliated to this site).

    My ClamAV output for your files:

    ./malware2.php: OK
    ./malware6.php: OK
    ./malware10.php: {multi}Malware.Expert.wget.curl.lwp-download.exec.system.signature.UNOFFICIAL FOUND
    ./malware7.php: {HEX}Malware.Expert.PHP.SESSION.PHP.0.UNOFFICIAL FOUND
    ./malware8.php: OK
    ./malware3.php: {HEX}Malware.Expert.generic.preg.replace.post.3.UNOFFICIAL FOUND
    ./malware4.php: {HEX}Malware.Expert.generic.cookie.8.UNOFFICIAL FOUND
    ./malware5.php: OK
    ./malware9.php: OK
    ./malware1.php: OK

    ———– SCAN SUMMARY ———–
    Known viruses: 6469743
    Engine version: 0.99.4
    Scanned directories: 1
    Scanned files: 10
    Infected files: 4
    Data scanned: 0.38 MB
    Data read: 0.29 MB (ratio 1.29:1)
    Time: 16.550 sec (0 m 16 s)

  3. Avira Antivirus Support

    Also, we can use Exploit Scanner, but before applying it we must know that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If we don’t know about the plugin in deep then it is really hard for you to know which code is out of its place in the thousands of lines of code.

  4. Avira Antivirus Support

    Also, we can use Exploit Scanner, but before applying it we must know that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives.

  5. Pingback: Is it a virus or Not? ImunifyAV found malware in analog/cache file - Robert's Technology Blog

Leave a Comment

Your email address will not be published. Required fields are marked *