web backdoors

[jay755]

Hi,

Happy Year of the snake everybody . Hope my year works out well.....

I am interesed in creating an good web backdoor, the most web backdoors I know are all c99 like types. Very much options and very easy to detect. It would be nice to make one which is difficult to detect.

Who would like to learn and help.

Jay

[ayu]

Well, there are a few things to think about here.

Which options do the server administrator have to detect the backdoor?
The most common way would be to use an Anti Virus and search for the file using different techniques, like checking the checksum and so on.
Another way is to simply search for newly created files, or files that just don't belong (They would normally look for strange files in their image and upload folders)

To counter this in a simple manner, I would make a backdoor and then NOT share it with the whole world as the creators of the normal C99 and R59 shells did.
And then the backdoor has to be placed somewhere where it wont raise any suspicion (as in NOT the two folders I just mentioned).

One clever way, if you have write access, is to hide the backdoor in a file that already exists in the system.
Let's say that they have a CMS installed (Joomla for example), then hiding the backdoor code in a file that already exists, will make it a lot less likely to be detected (provided you have kept the code to yourself for as long as possible so that AV companies wont add it to their definition files).

I suggest the method to hide it, would be to just put an if statement at the beginning of the file that checks a get parameter called "stgId" (or something else the file is not likely to use), and then have a function at the END of the file with a common name like "hashStringContentTrimmer" (not common maybe, but still less suspicious than "thisIsAnEvilFunction"). And then of course, if the get parameter is set, the function is called (the function would contain all your backdoor code).

Some coders would also encrypt or encode the code somehow so that it can't be read, and yes that's a pretty good idea.
But personally I like to be sneaky and a bit subtle "the other way around", by doing LESS strange things to hide it, and more things to just make it look as normal as possible.
I use the same principle when writing malware in C for different Operating system, that if I don't touch any system files, and just try to focus on the user files (passwords and such), my malware is less likely to be detected, especially since most anti virus software will always try to protect the system resources that need admin privileges, so if you just stay away from them, you can survive longer.

So yeah, to sum it all up,

just act normal ...

[jay755]

Hi cats,

Thanks for reply.

I agree with most. Just not encrypt it, it looks too strange. My preference is to go with POST value and not GET so as nog to get in the access logs and all.

About the issue of where I would like to take the following approach:
Hiding it in existing files is nice, but I am trying to go for the database. Hide it there, it will not be detected on disk and will be migrated even when changes hosters or servers .

And sharing it with the whole interweb is maybe a bad idea, but I would like to share it with a small group who can all contribute and make it better.

Jay

[ayu]

Hi cats,

Thanks for reply.

I agree with most. Just not encrypt it, it looks too strange. My preference is to go with POST value and not GET so as nog to get in the access logs and all.

About the issue of where I would like to take the following approach:
Hiding it in existing files is nice, but I am trying to go for the database. Hide it there, it will not be detected on disk and will be migrated even when changes hosters or servers .

And sharing it with the whole interweb is maybe a bad idea, but I would like to share it with a small group who can all contribute and make it better.

Jay

Yeah like I said, it's better to be suddle about it and not use encryption

POST is a really great idea, and hiding it in the database sounds interesting as well, but how would you go about doing that?
Do you mean that you want to hide it in clear text?
And since you don't automatically have access to the database username and password simply because you entered the system, does this mean that you would have to configure your backdoor manually when you enter the system?

For example, that you enter the system and then you have to manually find the database credentials that the rest of the software is using, and then you run your backdoor to place the data in the database. That would also require that you have some sort of method for checking "how" you can hide it in the database, since you wont always have the required permissions to create tables and such, so you might have to hide it in another database or table that already exists.

This whole database idea sounds pretty neat, so please do elaborate on it if you wish

[jay755]

Yes, you need the db credentials first. So I assume we can read files (configuration) to get the db username and password. Then depending on the web software used we would need to find out how the software uses the database. I know that some software uses the database to store templates and loads it and eval's it. So changing some template code in the database would do the trick here I think.
Combine that with POST and you have yourself a nice hidden backdoor if done right I guess.

What do you think? Which software is interesting to start with?

Jay

[ayu]

Yes, you need the db credentials first. So I assume we can read files (configuration) to get the db username and password. Then depending on the web software used we would need to find out how the software uses the database. I know that some software uses the database to store templates and loads it and eval's it. So changing some template code in the database would do the trick here I think.
Combine that with POST and you have yourself a nice hidden backdoor if done right I guess.

What do you think? Which software is interesting to start with?

Jay

When you say "which software", do you mean that you want to write backdoors for different kind of software?
Like, one backdoor for Joomla, one for Wordpress ... etc?

[jay755]

Hi cats,

Thanks for the input and help !

I think that would be necessary because every software uses database in different way. Any ideas or other options you can think of maybe?

Jay

[ayu]

Hi cats,

Thanks for the input and help !

I think that would be necessary because every software uses database in different way. Any ideas or other options you can think of maybe?

Jay

Well, if I were you, I would start with making two versions.

1: The first version would not target any specific CMS, but would need more manual setup (you would have to set all the credentials yourself and tell it in what database and table it should store the backdoor data).

2: The second version could be a proof-of-concept for a backdoor that targets a specific CMS, like Joomla. Have it use the Joomla config to upload itself to the database, and then either use Joomla to access it, or put some of the code in one of Joomlas files so that you can control it.

Another thing that I suggest, is to not make a "normal" web backdoor.
That is, don't create a user interface for the backdoor, and instead you simply have the backdoor output JSON data, that you then interpret with a special client that you can write in another language.

That way it's harder for others to find it and use it, and you don't have to bother with all the trouble of a web gui that might have issues with the html encoding when coming from the database or whatnot.
And, it's less data, which will make it a little less suspicious

[jay755]

Thanks! Sounds like a good plan. I appreciate the input and thinking, thanks again.

Jay

[ayu]

Thanks! Sounds like a good plan. I appreciate the input and thinking, thanks again.

Jay

You're welcome!
And thanks to you too, I got some nice ideas from this as well ^^