Snort mailing list archives
Re: Signatures detecting PHP backdoor traffic
From: "Todor P. via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 2 Jan 2024 19:10:46 +0200
The function vksXJAdk is defined to perform a simple XOR decoding of a given string using a provided key. The variable $i contains an encoded string, and the function vksXJAdk is used to decode it using the key $eByjoghUea. The result is stored in the variable $k. Another encoded string is stored in the variable $j, and it is also decoded using the same vksXJAdk function with the key $eByjoghUea. The result is stored in the variable $f. The code then executes the decoded string stored in $f as a PHP function, passing $eByjoghUea and $k as arguments. The include_once function is used to include the file named by $eByjoghUea. This file is likely dynamically generated based on the decoding process. After including the file, the code attempts to delete it using unlink. The exit() function is called, which terminates the script. On Tue, Jan 2, 2024 at 6:00 PM Bart Broere <mail () bartbroere eu> wrote:
Hi fellow Snort Sigs subscribers, This is my first submission here, so I hope this is the right place to contribute new signatures. This week I analyzed a PHP malware sample that was installed on a Wordpress host. It functioned as a backdoor, allowing attackers to execute code on the host. Some of the functionality of the malware is that it responds with the MD5 hash of 47712 (6a59bb58c6c03d5103d44f3b7e5ebf07) when the GET parameter 47712 or 673435 is supplied. That behaviour can be converted to snort rules: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP backdoor check of successful installation using GET parameter 47712"; flow:to_server,established; content:"GET /"; http_uri; content:"47712="; http_uri; classtype:web-application-activity; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000001;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP backdoor check of successful installation using GET parameter 673435"; flow:to_server,established; content:"GET /"; http_uri; content:"673435="; http_uri; classtype:web-application-activity; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000002;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Indication of a successful PHP backdoor check, server responds with 6a59bb58c6c03d5103d44f3b7e5ebf07"; flow:to_client,established; content:"6a59bb58c6c03d5103d44f3b7e5ebf07"; http_client_body; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000003;) There's some potential for false positives with these rules, but not a lot. Numeric GET keys and an MD5 hash of an integer are already slightly suspect. The detection could also benefit from dynamic rules probably, where hitting rule 1 or 2 would be a requirement for rule 3 to raise an alert. Unless I'm mistaken the community ruleset does not yet include any dynamic rules. Let me know if it's possible to use mechanisms like activates/activated_by, and I'll happily convert them. I published a full write-up on the malware here: https://bartbroere.eu/2023/12/31/php-backdoor-malware/ This page also has references to earlier research. I'm especially thankful for all the samples collected by Bruce Ediger. I don't have any packet captures of this happening, but I could generate them by running the malware in a sandbox. Let me know if you have any questions or remarks, and whether these rules can be contributed to the Community Rules. Best regards, Bart Broere _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Signatures detecting PHP backdoor traffic Bart Broere (Jan 02)
- Re: Signatures detecting PHP backdoor traffic Jason Taylor via Snort-sigs (Jan 03)
- Re: Signatures detecting PHP backdoor traffic Joel Esler via Snort-sigs (Jan 06)
- Re: Signatures detecting PHP backdoor traffic Todor P. via Snort-sigs (Jan 08)
- Re: Signatures detecting PHP backdoor traffic Jason Taylor via Snort-sigs (Jan 03)