FreeBSD: Protect your web servers against PHP shells and malwares

Written by: Özgür Konstantin Kazanççı -

Category: My FreeBSD Write-ups

Hello there – It’s been a long time since I wrote something here!

Today, I will try to explain how we can make our web servers more secure, how we can periodically scan hosted files and find files containing malicious code.

In the FreeBSD package repository, there is an effective (and well-known) antivirus software called ClamAV, which I install on almost all the servers I manage. It’s fast, efficient and stable.

While the virus signature database that comes with ClamAV may be sufficient for regular systems or Mail servers (for detecting viruses infiltrating .exe, .zip, .rar, .docx, .xlsx files), when it comes to web servers, we need much more effective and deep signature databases. ClamAV is indeed a very good anti-virus/anti-malware tool, however it is incapable of detecting malicious code infiltrating PHP files. At this point, free 3rd party signature databases come into play and save us; we can use their databases to extend ClamAV signature database collection with better detection of malicious files, dangerous shell scripts, PHP malwares on a web server.

PHP malwares, PHP shells, also known as webshells, are scripts or programs written in PHP that allow unauthorized individuals to gain control over a web server. While they may have legitimate uses for system administrators to manage servers remotely, PHP shells can be highly dangerous when in the wrong hands.

Here are a few reasons why PHP shells can pose significant risks to servers:

Unauthorized Access: PHP shells provide a convenient way for attackers to browse the content of local files and gain unauthorized access to a server. Once an attacker uploads and executes a PHP shell on a server, they can exploit its functionalities to execute arbitrary commands, access files and directories, modify configurations, or even escalate their privileges.

Command Execution: With a PHP shell, an attacker can execute system commands on the server. This capability enables them to run malicious scripts, launch further attacks, or manipulate system resources. They can also leverage the server’s computing power for activities like cryptocurrency mining or launching distributed denial-of-service (DDoS) attacks.

Data Theft and Manipulation: By using PHP shells, attackers can browse and download sensitive data from the server, such as databases, configuration files, user credentials, or intellectual property. They can also modify, delete, or inject malicious code into existing files, compromising the integrity and confidentiality of the server’s data.

Persistence and Backdoor Access: PHP shells can be used to establish persistent access to the compromised server. Attackers can configure the shell to remain hidden and undetected, allowing them to maintain control even after system reboots or security measures are applied. This grants them ongoing unauthorized access and the ability to further exploit the server or launch subsequent attacks.

Malware Distribution: Once attackers gain control over a server through a PHP shell, they can use it as a launching pad for distributing malware. They can upload malicious files, create phishing websites, or use the server’s resources to send spam emails or host malicious content. This can lead to further compromise of other systems and damage the server’s reputation.

Given these risks, it is crucial to prevent unauthorized access to servers, secure web applications, regularly update software, and employ strong authentication mechanisms. Timely detection and removal of PHP shells is essential to protect servers from potential damage and safeguard sensitive data.

With those free signature databases I explained below, it will be possible to drastically improve the detection rate of ClamAV so that it becomes an excellent security tool for web servers as well.

We’ll be using free ClamAV databases from Malware.Expert, URLHaus, SecuriteInfo, InterServer, RFXN and Sanesecurity.

›Malware.Expert generate PHP signatures to help improve the ClamAV detection rate on PHP malwares in shared hosting environments. Their malware signatures are generated daily from shared web hosting servers which contains malwares.

›URLhaus is a project operated by abuse.ch. The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.

›SecuriteInfo.com is a french computer security company, providing state-of-the-art technologies to deliver security audits and products, like vulnerability audits for websites, network audits and firewall/proxy appliances, and signatures rely on real malwares found on Internet, dropped within your webserver including Javascript, PHP, Iframes, Includers, including Locky, TeslaCrypt, CryptoWall, Cryptolocker, and other Ransomwares.

›InterServer offers ClamAV signatures focused on malicious PHP scripts maintained by the hosting provider; InterServer. Highly recommended if you regularly want to scan your web servers.

›RFXN (R-FX NETWORKS) offers a set of ClamAV signatures specializing in detecting malicious PHP scripts, trojan horses such as malicious IRC bots, worms, etc.

›Sanesecurity signatures (from Mailborder) greatly enhance the detection rate of ClamAV by adding additional checks including zero-day shell/virus detection.

But first of all, let’s start by installing ClamAV on our system. To install and use ClamAV, your machine must have at least 2GB of free available memory.

Here are the commands to install ClamAV, set it to start during each system boot, enable the freshclam virus database update tool for ClamAV as well. Then we set the freshclam to run with “-c 1” flag.

The switch: -c n checks n times per day for a new database, n must be between 1 and 50.

Setting it 1 (once a day) is enough in our case, while most of those free 3rd party databases already impose such rate limit.

[root@srv ~] pkg install -y clamav
...
[root@srv ~] sysrc clamav_clamd_enable="YES"
[root@srv ~] sysrc clamav_freshclam_enable="YES"
[root@srv ~] sysrc clamav_freshclam_flags="-c 1"

That’s it.

Now, we can run freshclam command to fetch and update the default ClamAV Database;

[root@srv ~] freshclam
ClamAV update process started at Sat May 20 14:04:02 2023
daily.cvd database is up-to-date (version: 26913, sigs: 2035029, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 1.0s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Testing database: '/var/db/clamav/tmp.e2d591166c/clamav-a6f8ea65f5d7dd6f865537a3d9615866.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory

The warning message above is because the clamav-clamd service is not running -yet-.

We start it and try freshclam again;

[root@srv ~] service clamav-clamd start
Starting clamav_clamd.

[root@srv ~] service clamav-clamd status
clamav_clamd is running as pid 92558.

[root@srv ~] freshclam
ClamAV update process started at Sat May 20 14:04:42 2023
daily.cvd database is up-to-date (version: 26913, sigs: 2035029, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)

And everything seems fine now. For now.

So far, we installed ClamAV and updated the virus signature databases that came with it. But as I mentioned at the beginning of my article, these databases are not sufficient for detecting malicious PHP codes/files. So is it really so? Let’s test it and see. We will now, download some PHP files containing malicious code samples and scan them by ClamAV’s default signature database;

[root@srv ~] mkdir /root/testvir
[root@srv ~] cd /root/testvir
[root@srv ~] fetch https://github.com/Te-k/php-malicious-sample/archive/refs/heads/master.zip
[root@srv ~] unzip master.zip
[root@srv ~] clamscan -oir -l /var/log/scanresult.log /root/testvir/

/root/testvir/master.zip: Win.Trojan.Shell-67 FOUND
/root/testvir/php-malicious-sample-master/utf.php: Php.Malware.Mailbot-45 FOUND
/root/testvir/php-malicious-sample-master/1/wso.php: Win.Trojan.Shell-67 FOUND
/root/testvir/php-malicious-sample-master/4/accountakZi.php: Php.Trojan.Spambot-292 FOUND
/root/testvir/php-malicious-sample-master/4/error.php: Php.Exploit.C99-7566241-0 FOUND
/root/testvir/php-malicious-sample-master/4/infos.php: Win.Trojan.Shell-49 FOUND
/root/testvir/php-malicious-sample-master/4/xml.php: Win.Trojan.Shell-49 FOUND
/root/testvir/php-malicious-sample-master/4/info.php: Win.Trojan.Shell-49 FOUND
/root/testvir/php-malicious-sample-master/index.phtml: Win.Trojan.Shell-49 FOUND
/root/testvir/php-malicious-sample-master/defines.php: Php.Malware.Mailbot-45 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8666980
Engine version: 1.0.1
Scanned directories: 6
Scanned files: 37
Infected files: 10
Data scanned: 1.46 MB
Data read: 0.95 MB (ratio 1.54:1)
Time: 14.693 sec (0 m 14 s)
Start Date: 2023:05:22 02:40:51
End Date: 2023:05:22 02:41:06
root@srv:~/testvir #

-o; Skips printing OK files
-i; Only prints infected files
-r; Scans directories recursively. All the subdirectories in the given directory will be scanned.
-l; Generates the results into a log file.

As we see above, only 10 out of 37 malicious files were successfully detected. That’s a pretty low ratio. So now, let’s improve it, by adding external/3rd party signature databases.

Create a free SecuriteInfo account to get the database download URLs for the additional signatures for ClamAV: https://www.securiteinfo.com/clients/customers/signup

Login, then go to “Setup” tab to get the “DatabaseCustomURL” lines.

Copy the lines starting with “DatabaseCustomURL”, they’ll be put in freshclam.conf

Edit /usr/local/etc/freshclam.conf file, set the following options;

DatabaseDirectory /var/db/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogFileMaxSize 2M
LogTime yes
LogRotate yes
MaxAttempts 5
ConnectTimeout 60
ReceiveTimeout 1800

Some general settings..

Then we go to the bottom of the freshclam.conf file, and add 3rd party databases’ URLs;

#SecuriteInfo Signatures (Get them from your own account)
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfo.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfo.ign2
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../javascript.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../spam_marketing.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfohtml.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfoascii.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfoandroid.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfoold.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/.../securiteinfopdf.hdb

#InterServer Signatures
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb
DatabaseCustomURL http://sigs.interserver.net/interservertopline.db
DatabaseCustomURL http://sigs.interserver.net/shell.ldb
DatabaseCustomURL http://sigs.interserver.net/whitelist.fp

#RFXN Signatures
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.yara

#SaneSecurity Signatures
DatabaseCustomURL http://sigs.mailborder.com/sigwhitelist.ign2
DatabaseCustomURL http://sigs.mailborder.com/sanesecurity.ftm
DatabaseCustomURL http://sigs.mailborder.com/hackingteam.hsb
DatabaseCustomURL http://sigs.mailborder.com/crdfam.clamav.hdb
DatabaseCustomURL http://sigs.mailborder.com/bofhland_malware_attach.hdb

#Malware.Expert Signatures
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp

#URLHaus Signatures
DatabaseCustomURL https://urlhaus.abuse.ch/downloads/urlhaus.ndb

Save the changes and exit.

Then running freshclam once again, so that all those signature databases will be fetched and integrated into ClamAV. (Might take a LONG while, please don’t interrupt the process)

[root@srv ~] freshclam
Mon May 22 03:01:55 2023 -> ClamAV update process started at Mon May 22 03:01:55 2023
Mon May 22 03:01:55 2023 -> daily.cvd database is up-to-date (version: 26914, sigs: 2035072, f-level: 90, builder: raynman)
Mon May 22 03:01:55 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon May 22 03:01:55 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon May 22 03:02:08 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-3c.tmp-securiteinfo.hdb'
Mon May 22 03:02:08 2023 -> Database test passed.
Mon May 22 03:02:08 2023 -> securiteinfo.hdb updated (version: custom database, sigs: 49086)
Mon May 22 03:02:09 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-6b.tmp-securiteinfo.ign2'
Mon May 22 03:02:09 2023 -> Database test passed.
Mon May 22 03:02:09 2023 -> securiteinfo.ign2 updated (version: custom database, sigs: 180)
Mon May 22 03:02:33 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-5c.tmp-javascript.ndb'
Mon May 22 03:02:33 2023 -> Database test passed.
Mon May 22 03:02:33 2023 -> javascript.ndb updated (version: custom database, sigs: 10596)
Mon May 22 03:02:41 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-aac.tmp-spam_marketing.ndb'
Mon May 22 03:02:41 2023 -> Database test passed.
Mon May 22 03:02:41 2023 -> spam_marketing.ndb updated (version: custom database, sigs: 37629)
Mon May 22 03:02:50 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-79ed.tmp-securiteinfohtml.hdb'
Mon May 22 03:02:50 2023 -> Database test passed.
Mon May 22 03:02:50 2023 -> securiteinfohtml.hdb updated (version: custom database, sigs: 30288)
Mon May 22 03:02:58 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-d5c.tmp-securiteinfoascii.hdb'
Mon May 22 03:02:58 2023 -> Database test passed.
Mon May 22 03:02:58 2023 -> securiteinfoascii.hdb updated (version: custom database, sigs: 35139)
Mon May 22 03:03:07 2023 -> Testing database: '/var/db/clamav/tmp.7f534b3cc9/clamav-f40.tmp-securiteinfoandroid.hdb'
Mon May 22 03:03:07 2023 -> Database test passed.
Mon May 22 03:03:07 2023 -> securiteinfoandroid.hdb updated (version: custom database, sigs: 29615)
Mon May 22 03:19:55 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-bde.tmp-bofhland_malware_attach.hdb'
Mon May 22 03:19:55 2023 -> Database test passed.
Mon May 22 03:19:55 2023 -> bofhland_malware_attach.hdb updated (version: custom database, sigs: 1836)
Time: 0.5s, ETA: 0.0s [========================>] 130B/130B
Mon May 22 03:19:55 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-63f.tmp-malware.expert.ndb'
Mon May 22 03:19:55 2023 -> Database test passed.
Mon May 22 03:19:55 2023 -> malware.expert.ndb updated (version: custom database, sigs: 1)
Time: 0.1s, ETA: 0.0s [========================>] 73B/73B
Mon May 22 03:19:56 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-2c32d.tmp-malware.expert.hdb'
Mon May 22 03:19:56 2023 -> Database test passed.
Mon May 22 03:19:56 2023 -> malware.expert.hdb updated (version: custom database, sigs: 1)
Time: 0.1s, ETA: 0.0s [========================>] 246B/246B
Mon May 22 03:19:56 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-3e17d8bd4.tmp-malware.expert.ldb'
Mon May 22 03:19:56 2023 -> Database test passed.
Mon May 22 03:19:56 2023 -> malware.expert.ldb updated (version: custom database, sigs: 1)
Time: 0.1s, ETA: 0.0s [========================>] 73B/73B
Mon May 22 03:19:56 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-50a6471e.tmp-malware.expert.fp'
Mon May 22 03:19:56 2023 -> Database test passed.
Mon May 22 03:19:56 2023 -> malware.expert.fp updated (version: custom database, sigs: 1)
Time: 1.0s, ETA: 0.0s [========================>] 625.93KiB/625.93KiB
Mon May 22 03:19:57 2023 -> Testing database: '/var/db/clamav/tmp.49c01d39a6/clamav-1060ef.tmp-urlhaus.ndb'
Mon May 22 03:19:57 2023 -> Database test passed.
Mon May 22 03:19:57 2023 -> urlhaus.ndb updated (version: custom database, sigs: 6040)
Mon May 22 03:19:57 2023 -> Clamd successfully notified about the update.

As we see, now there are new signature database files downloaded and verified; securiteinfo.hdb, rfxn.ndb, rfxn.hdb, rfxn.yara, malware.expert.hdb and so on..

Finally, we scan our test folder again;

[root@srv ~] clamscan -oir -l /var/log/scanresult.log /root/testvir/
-------------------------------------------------------------------------------
/root/test/master.zip: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/1/full-width.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/1/ini.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/1/wp-signup.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/1/wso.php: Win.Trojan.Shell-67 FOUND
/root/test/php-malicious-sample-master/2/ajax.php: {HEX}php.base64.v23au.187.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/cache.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/file.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/general63.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/help.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/info45.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/leftpanelsin.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/mn.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/model.php: {HEX}php.base64.v23au.187.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/proxy.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/user99.php: {HEX}php.generic.malware.447.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/xqxi.php: {HEX}php.generic.malware.449.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/2/ykdizt.php: YARA.eval_post.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/accountakZi.php: Php.Trojan.Spambot-292 FOUND
/root/test/php-malicious-sample-master/4/attachment.php: {HEX}php.base64.inject.173.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/comments-popup.php: SecuriteInfo.com.JS.Includer-ANC.11393.32566.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/error.php: {HEX}php.cmdshell.Err0R.247.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/info.php: {HEX}php.cmdshell.generic.279.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/infos.php: {HEX}php.cmdshell.generic.279.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/4/xml.php: {HEX}php.cmdshell.generic.279.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/content.phtml: {HEX}php.gzbase64.inject.456.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/defines.php: start.php.suspected.sigs.InterServer.net.SHA256.4879.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/e2rtts.php: YARA.eval_post.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/index.phtml: {HEX}php.cmdshell.generic.279.UNOFFICIAL FOUND
/root/test/php-malicious-sample-master/utf.php: stats.php.suspected.sigs.InterServer.net.SHA256.170.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 12866929
Engine version: 1.0.1
Scanned directories: 6
Scanned files: 37
Infected files: 30
Data scanned: 0.93 MB
Data read: 0.95 MB (ratio 0.98:1)
Time: 51.048 sec (0 m 51 s)
Start Date: 2023:05:20 15:22:51
End Date: 2023:05:20 15:23:42

ClamAV now successfully detects 30 out of 37 files! Thus, we drastically improved the detection rate of ClamAV from 27% up to 81%, making it much more effective against malicious PHP files.

If you wish, you can run ClamAV as one of your cron jobs, perform daily or weekly periodic scanning all your websites (e.g. located in /usr/local/www/), and check the results from the scanresult.log file.

For such purpose, I created scan.sh file in my /root folder, containing just the following line;

/usr/local/bin/clamscan -oir -l /var/log/scanresult.log /usr/local/www/

Then; chmod +x scan.sh, making it an executable file. Finally added it into crontab by crontab -e command through the line;

@weekly /root/scan.sh

or

@daily /root/scan.sh

Your files will be scanned accordingly (your choice of time interval) and the results will be exported to /var/log/scanresult.log file. If you have a busy web server, I recommend scheduling your scanning for less busy hours. You can refer to https://crontab.guru site for cron timings.

And here we have come to the end of my article, I hope it was useful.
Till next time, folks.

Twitter: @ozgurkazancci


Leave a Reply