How I use MiniALA to find web shell backdoor on my host?

I’m using a shared hosting service provided by Bluehost and have many websites on this account. Last month, November, my brother wrote me that he received a lot of traffic to his website although he didn’t update anything. He worried that maybe a web shell backdoor was injected into his website because he used some null-ed plugins and templates (My bro, please don’t use any null-ed components anymore, buy commercial components or use free ones instead). If his website got attacked, my blog will be also on target because we use same account for both websites. I decided to make a short analysis of Apache Access Log (AAL) to check if a web shell backdoor is installed on my shared hosting.

All I want to do is opening AAL file, using Regex to filter out the “safe” entries, getting the list shorter and shorter until I have only suspicious links left. I made a search on internet for a magical tool helping me to finish this task. I found many variants for AAL file analyzing tool. But! It makes me surprised that there is no simple tool for that simple task. All tools are big, huge things.

I asked my friends for advice and they introduced me some commercial software which cost about thousand of dollars and of courses, with many heavy features. The most interesting suggestion I got, was using ElasticSearch with LogStash and Kibana on Ubuntu to analyze the log file. In fact, I was really excited when I stared with this solution but then I gave up after 4 hours of trying to get software installed and make them working together. It’s too complicated. I just need a small UI tool with Regex options.

I have no choice. I have to write my own tool. Yes, it’s not a big, heavy log analyzer. Yes, it can’t even handle huge log file. Yes, it doesn’t provide me any chart view for statistical data but it does its job. It gives me the ability to use Regex to filter out the “safe” entries so that I can focus on only dozens of suspicious entries instead of millions of them. In this blog post, I would like to introduce how this mini tool works.

1. How to use

1.1 Sample log file

I use my AAL file of November for demonstration. You can download it from following link: http://hintdesk.com/Web/Blog/201512/apache.access.log.zip

1.2 Use MiniALA to load log file

Now you have a mini Apache Access Log file. Let’s run MiniALA tool, click on Browse button over LOG section

Browse to log file

Browse to AAL file and load it, all entries will be then loaded into memories for filtering out later (therefore the tool is not suitable for analyzing huge file because of RAM problem). During loading process, you’ll be notified on the upper right corner how much in percentage the tool have read your log file.

Loading progress

When the log file was completely loaded, all entries will be shown in the main grid. The number of entries will also be updated on the upper right corner.

Load completed

1.3 Show me PHP files only

Sofar I know (it may be not correct, correct me if I’m wrong), a web shell backdoor in Linux system is usually a .php file. So I would like to find out a web shell backdoor, it should be accessed through a URL with .php inside it. So in the tool, I go to section Filter and click on Browse button. Browse to installation folder of MiniALA tool, find FilterTemplates folder and load IncludePhpFiles.miniala file.

Browse filter

IncludePhpFiles.miniala

Wait for seconds during the tools applies the predefined filter. When it finishes, the list is shortened from 192408 entries to only 4582 entries. That means we just get rid of more than 180.000 entries which should be safe.

PHP Urls

So then how it works really? Just open IncludePhpFiles.miniala file in a text editor, you’ll see there is a very simple filter definition in JSON format.

{
	"Filters" : [{
			"Expression" : "Regex.IsMatch({0},\"{1}\")",
			"Property" : "Url",			
			"Value" : ".*\\.(?:php)"
		}
	]
}

The Expression will be evaluated on run-time for true/false value. {0} is a reservation for Property and {1} is a reservation for Value. The filter above just says: I’ll give true back when Url contains phrase .php, of course in Regex format. So all entries whose URLs contains .php will stay on the list, the other have to fly out of our concerned links.

1.4 Filter out links of WordPress

My brother uses WordPress for his website and his website runs without any problem until now. When you look at the result after applying filter of .php, you’ll see that the first entry has Url of /xmlrpc.php, that is a .php file of WordPress.

IncludePhpFiles.miniala

So I can define another filter to filter out “safe” links from WordPress. Link by link, I go through the list, check if link is safe, exclude it in filter definition (also in JSON with same format like above). At the end, I have a predefined filter for WordPress which can be applied anytime when I have to analyze log file of a WordPress website. You can also use this predefined filter. In Filter section and click on Browse again, let’s select ExcludeWordpress.miniala.

After WordPress filter

Now you should have only 201 entries left in our list. That’s great, isn’t that? There are only 200 entries left to analyze. But remember to check predefined filter before you apply it. You should make sure that the excluded files in filter are not infected. Although I try to keep the exclude pattern as good as possible but just double check again.

1.5 Filter out not found URL

After filtering out all “safe” links of WordPress, the first entry in the list looks now very suspicious. It’s a .php from a theme, but hold on, the error code was 404, that means the file doesn’t exist at all.

Errorcode 404

Someone tries to call this file but it’s not available in server. So we can think about a filter of HTTP response code which excludes all “safe” entries of appropriate error code. I also prepare a predefined filter for this one. Let’s use “ExcludeHttpErrorCode.miniala” template, it’ll filter all entries with HTTP response code of 404,301 and 500.

1.6 Exclude all entries of media files

Now you have only 94 entries left. It’s really amazing. From more than 190.000 there are only 94 entries left. You should have now a really good overview of suspicious links, but if you analyze further, there are still some safe links of media files.

Media files

The media direct link can’t be a webshell backdoor. So we can exclude all links of these media types out of our result. This time let’s use the predefined ExcludeMediaUrls.miniala filter to get rid of all media links.

1.6 Manually exclude

After applying many predefined filters, there are only 76 entries left and they look really “harmful”. Now, I have to examine each link to check if they really lead to a web shell backdoor. When I’m sure that the link is not harmful, I can manually exclude it by clicking on cell of property which I want to exclude and choose Exclude

Manually exclude

So keep checking link by link and at the end, we can be sure that our website is safe and no web shell backdoor exists.

2. Other features

During my analysis, I realize sometimes I would like to delete a filter entry from current filter. So I make an Edit button in section Filter, using this function, you can directly
– edit filter entry over UI by clicking on the cell and edit the value of cell.
– and delete an entry by selecting an entry and delete it with Delete key on keyboard.

Edit filter

The Save function of Filter section allow you to save the current filter to file for later use. The current entries showed in the grid can be also exported to CSV or AAL format.
For example, you are analyzing a really big log file with MiniALA. You have created and apply some custom filters. You have already shortened your list from millions to some hundred thousands entries but you have to make a pause and would like to continue your work later. Then save your current filter (with Save function) and export current entries in AAL format (not in CSV). You can then load the exported AAL log file and your saved filter and continue your work later.

3. Source code

I like this mini tool much because it helps me a lot in analyzing AAL file to find out if a web shell backdoor is installed in my shared hosting. If you like it, you can have its source code and binary from following link.

Prerequisites: .Net Framework 4.5
Binary : MiniALA
Source : MiniALA Source

Leave a Reply

Your email address will not be published. Required fields are marked *