Quick check to avoid malware in PHP scripts.

PedroNavp

New member
XNullUser
Joined
Oct 3, 2024
Messages
3
Reaction score
0
Points
1
Location
Spain
NullCash
22
I made a quick checklist to avoid manipulated PHP scripts with malware I hope you find it useful.

  • Open the PHP file in a you IDE: Use a code editor
  • Look for suspicious function calls: Search for potentially dangerous functions like:
    • eval()
    • exec()
    • shell_exec()
    • system()
    • passthru()
    • popen()
    • proc_open()
  • Check for base64 encoded strings: Malware often uses base64 encoding to hide malicious code. Look for:
    • base64_decode()
    • Long strings of seemingly random characters
  • Inspect CURL usage: While CURL itself isn't malicious, it can be used for unauthorized data transfer. Look for:
    • curl_init()
    • curl_setopt()
    • curl_exec() Check the URLs being accessed and ensure they're legitimate.
  • Examine file operations: Look for suspicious file read/write operations:
    • fopen()
    • file_get_contents()
    • file_put_contents()
  • Check for obfuscated code: Malware often uses obfuscation techniques. Look for:
    • Extremely long lines of code
    • Unusual variable names (e.g., $a1b2c3)
    • Strings of hexadecimal characters
  • Verify included files: Check all include() and require() statements to ensure they're including legitimate files.
  • Look for unauthorized database queries: Search for database operations that might be extracting or modifying data:
    • mysql_query() (for older PHP versions)
    • mysqli_query()
    • $wpdb->query() (in WordPress)
  • Check for hidden backdoors: Look for code that might create admin users or provide unauthorized access:
    • wp_insert_user() (in WordPress)
    • add_user() (in other CMS systems)
PS. This tool is useful too https://github.com/marcocesarato/PHP-Antimalware-Scanner
 

herf18

New member
XNullUser
Joined
Feb 27, 2024
Messages
14
Reaction score
0
Points
1
Location
Poland
NullCash
11
Sometimes the above elements can be avoided, which will be undetectable for certain code executed from a variable as a function, example in the image.

This PHP code is a clear example of obfuscation, a technique often used in malicious attacks to hide the true purpose of the script. The variables appear to be assembling encoded or hidden strings, which are likely intended to execute harmful commands. This type of obfuscation is commonly found in webshells or backdoors, allowing attackers to gain unauthorized access to the server. It could also be part of a code injection attack, where external code is introduced and executed in the application, leading to potential data theft, server control, or further exploitation. The obfuscation makes it difficult to detect and analyze the true nature of the attack without decoding the strings.
 

Attachments

  • 417702617_900771455047274_8464616037824356974_n[1].png
    417702617_900771455047274_8464616037824356974_n[1].png
    35 KB · Views: 3

Fernando Rogerio

New member
XNullUser
Joined
Oct 3, 2024
Messages
4
Reaction score
0
Points
1
Location
Brazil
NullCash
13
Is changing laravel to add bootstrap 5 styles worth it?Is changing laravel to add bootstrap 5 styles worth it?Is changing laravel to add bootstrap 5 styles worth it?ual! muiot ok
 

xtreme256

New member
XNullUser
Joined
Jul 23, 2024
Messages
18
Reaction score
0
Points
1
Location
uganda
NullCash
4
Can't the javascript be used to execute php functions in the front end as well, recently got an attack on my server just after using a template from this forum, so i try to avoid php scripts
 

nuxs

New member
XNullUser
Joined
Oct 8, 2024
Messages
3
Reaction score
0
Points
1
Location
USA
NullCash
4
Thanks for the quick check. Will avoid php script.
 

FallenAngel

Active member
Elite
Joined
Oct 6, 2021
Messages
584
Reaction score
128
Points
43
NullCash
167
Thanks for sharing this! Cheers mate!
 

bordun

New member
XNullUser
Joined
Sep 22, 2024
Messages
11
Reaction score
0
Points
1
Location
55
NullCash
4
Thank you! This is super helpful.
 
Top