Weevely v0.3, The Tiny PHP Backdoor newly released with BackBox
This software is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions.
Weevely is now tool of BackBox Linux, a lightweight flexible penetration testing distribution.
Generate PHP code to trojanize a web server, and act like a telnet client to execute commands or inject addictional function on backdoored server.
Coded requests
Communication between backdoor server and client are done via normal HTTP requests, with a plausible fake HTTP_REFERER header field that contains coded commands to hide traffic from NIDS monitoring and HTTP log files review.
PHP security bypass
The program try to bypass PHP configurations that disable sensible functions that execute external programs, enabled with the option disable functions located in php.ini. Weevely tries different system function (system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()) to find out and use functions enabled on remote server.
Tiny server
The backdoor server code is small and easily hideable in other PHP files. The core is dinamically cripted, aim to bypass pattern matching controls.
Modularity
Is simple to increment backdoor server feature with modules, injecting PHP code through the backdoor to implement new functionality on remote server. Code and load new modules is really easy. Current additional modules are: check safe mode, read file, download file on remote server, search writable path
This articles on http://disse.cting.org/, written in italian, explain how Weevely works. Here the english translation
PHP remote backdoor not require additional library and is really portable. Do not use this program on third part servers.
Download last version available of Weevely 0.3