From reading an interesting technique to hide webshell shared on a blog recently, I decided to review all the employed techniques so far. Along with this, all detecting technologies updated constantly in webshell search engines were also reconsidered. Then, from my point of view, I came up with a solution to this interesting webshell hiding technique.
At first, hackers often put webshell directly on server. However, the tools with webshell’s checksums can quickly complete the detection. Then, a number of technical improvements are used:
- Encrypt webshell, use functions in PHP to cheat detection tools such as overturn –strrev(), split string base64_decode (Variable Function – PHP required) or pack($format,$args) etc.
- Insert code through _GET or _POST fields, combining with obfuscation technique.
- Steganography: Hide code in normal files (image file, video file, etc.) and call execution.
Later, these measures could be blocked by some detection tools developed from NeoPI script. These tools when being updated can check GET AND POST requests. Also, they have scanning engine to detect obfuscated and encrypted contents in files or to examine dangerous-rated PHP functions which are often used by webshell.
Currently, these tools just give warning about the risk of webshell existence, not a complete detection. Still, their warnings are impressive.
WebshellDetection scans and gives the warning
Recently appears a new technique which can bypass current detection tools. It improves webshell hiding by using steganography code in Exif image file format combined with a trick in PHP function.
There are two interesting features in this technique:
- Edit header in Exif image file.
In a .jpg image file with Exif format (generated by digital camera), metadata helps to save the image’s information. However, these details are not restricted in storage size. Taking advantage of this, some tags in metadata can be changed to save webshell.
Before and after metadata tags modified
- Playing trick with the handling of preg_replace() of PHP
After the saving is completed, hacker can execute this webshell by using 2 simple functions in PHP :
$exif = read_exif_data(“tests/image.jpg”);
read_exif_data() enables the reading of information in header of Exif image file.
preg_replace() enables the finding and replacing of strings content.
Particularly, when parameter
$pattern takes the form
$subject ) will transform into eval() and its function is not only ‘find and replace’ anymore.
Therefore, when parameter for preg_replace() has the form
with headers “‘Artist’”= ”/.*/e” and “‘Copyright’” = “ eval(base64_decode(‘ /*webshell-encoded*/ ’)) the above function will be equal toeval(base64_decode(‘’)) which is used to execute webshell.
Therefore, by playing trick with preg_replace() function, this technique can entirely cheat all detection tools because it does not make a direct call to eval().
Testing on some current open-source tools has revealed that the tools cannot detect webshell hidden by the technique described above. This is due to the employment of functions considered harmless to cheat webshell detection tools.
The most feasible solution to deal with this technique currently is to addpreg_replace() to the list of suspicious functions. However, this solution only has limited effects because hackers can change code to hide the use of preg_replace().
With Steganography code, metadata checking mechanisms should be added to find suspicious signs of webshell. This is my little tool which is written in PHP and can be used to check header in Exif file as well as to give warning to users: Scank.php
Do Dac Khanh