When a website is compromised, attackers frequently leave behind a backdoor – according to our research around 70% of all website hacks include a backdoor. These backdoors are not designed to attack a website or destroy data, instead, they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system.
Backdoors can be planted anywhere within a site, file system, or database. They are often confused with legitimate code or assets, making them difficult to detect and remove.
Locating a backdoor on a website can be very challenging; attackers often develop creative approaches to hiding these valuable portals so they can avoid the effort of reinfecting a website.
There are several techniques that Sucuri uses to identify if a backdoor has been installed on a website.
- Whitelisting: Sucuri has a large checksum set of core CMS files and popular themes, modules, extensions and plugins which allows us to compare and identify if core files have been modified on a website.
- Blacklisting: Over the years, we’ve been compiling lists of known backdoors and their variations so that we can easily locate these malicious items during scanning and remediation efforts.
- Anomaly checks: If we locate a file that doesn’t exist on either our whitelist or blacklist, we’ll perform an anomaly check to manually inspect if any functions or variables contain a backdoor. If the file is clean, our research team will add it to our whitelist; if it’s malicious, we’ll include it on our blacklist for future detection.
With a combination of whitelisting, blacklisting and anomaly checks, we are able to locate backdoors on compromised websites to mitigate the risk of reinfection and eradicate unauthorized access.
During a recent incident response investigation, we discovered a creative attack that involved hiding a backdoor within a fake .JPG file.
We identified two files involved in the attack. The first item appeared to be a normal php file: ./wp-content/themes/twentythirteen/images/3.php
However, when we reviewed the content located in the php file, we noticed it referenced the following image:
This use of the include function and the title of the image seemed strange, though in no way appeared to be malware.
When we inspected the check-db.jpg image however, we were unable to open the file in the browser. No image displayed and it appeared to be corrupted.
We took another step and opened check-db.jpg in our text editor, which quickly identified the main source of the backdoor.
We discovered the attacker’s creative use of the strrev function – which outputs strings in reverse – to execute the backdoor. This enabled the attacker to gain unauthorized access with the following steps:
- $_S: This first variable contained the malicious code that creates the backdoor and allows the attacker to gain access.
- $_A: Using the strrev function on this variable allowed the attacker to reverse the string $_A=strrev(“esab”).”64_”.strrev(“edoced”); into $_A = “base64_decode”;
- $_X: Once decoded by the “base64_decode” function, this variable contained all of the code necessary to create and execute the backdoor for the attacker. After this variable was decoded by $_A, it became $_X = base64_decode(eval(gzinflate(base64_decode($_S))));
- $trd and $ctel: After a string reversal with a final strrev function, these variables combined and executed to provide the attacker with full access to the website.
The creative use of the fake .JPG file and strrev functions made this backdoor unique, however, we were able to identify the malware through routine anomaly checks.
If you’re trying to clean a compromised website on your own, you can check out our hacked website guides for a list of identified backdoors. We recommend removing and replacing core files, plugins, themes and extensions if possible, and then analyzing any remaining items to ensure they’re clean.
Having difficulty cleaning your website or identifying backdoors? We’d love to help you out!