Tool to detect CallBacks.!

[weepaa]

Hello Guys, I need information, I recently find a good script, the installation work perfect, but I don't know if this script have callbacks, how can tell me any online tool or software to detect callbacks? Really I need some help with that, thanks in advances any information! :)

[Old_man]

One method:
- install on localhost using WAMP Developer for example (or any other Apache, MySQL and PHP distribution)
- install something like Microsoft Network Monitor (or any other traffic monitoring tool)
- start monitoring and after that call your site.
- analyze traffic.

This work for Windows.

P.S. Or put your script somewhere to analyze.

[dopeshow]

There's not a fully automated tool, since there are just too many ways to perform a callback and it can be hidden within functions, javascript, obfuscated code, etc.

The best way I've found so far is to look for:

curl
fsockopen
fopen
img src
iframe src
frame src
javascript urls
a href

Those are the most common ways to perform callbacks, however you have to look into each tag or function manually, since a curl call can be used to perform a lot of tasks and one of those can be the callback, however if you remove the entire curl code you can find issues with some script functions that rely on it.

[Smarac]

Cool didnt try to monitor the traffic,shall try it out.

Sometimes i use these 2 sites to try decode jibberish code in php files:
http://ottodestruct.com/decoder.php
http://www.motobit.com/util/base64-decoder-encoder.asp

[weepaa]

thanks for the tips guys, I test the script with Httpanalyzer V7 in front index just call style.css and the some image png, but in back in admin panel call some .js like main.js json.js and style.css

Really appreciate guys.!

[CyberPunk]

(05-10-2014 09:06 AM)weepaa Wrote:  thanks for the tips guys, I test the script with Httpanalyzer V7 in front index just call style.css and the some image png, but in back in admin panel call some .js like main.js json.js and style.css

Really appreciate guys.!

It is perfectly normal for a script to call some external URLs. When you use the public CDN by jQuery or Microsoft, or anywhere else, those will all show in any packet sniffing you do. I dunno how much you know about HTML and website coding..

jQuery is a pre-set library for javascript functions/features, its a framework for javascript. It allows a lot more capabilities, simpler ways to do stuff, faster dev times, and many other benefits of why it is so common on almost every site. So jQuery has a CDN, they host the jquery javascript file that the world can use, and its on cloud servers (most CDNs are) so its always on always fast. So it's actually better to use the remote jquery library hosted by them or google, than to host it yourself. I could go on.. but thats just 1 example, in case anyone reading this wants to know. Maybe some people just learned something from it..

I personally would fix the images loading from a 3rd party. So look at the urls and find them. Save the file, put it on your site. I wouldnt copy anything that doesnt load, or is a broken image, or is a php/js extension (you can use them as images too;) ). Just make sure they are real pics, and keep an eye out for anything that looks weird because an image could be used as a callback in some cases.

I found a site/blog thats fairly popular that posts nulled stuff, they put backdoors in them. In the bottom of the page, it adds what "looks" like its trying to look like an image, but its really a backdoor. With a special command added to the end of the URL, their backdoor would run so they could upload files or execute commands on the server. So don't overlook images..

[CyberPunk]

As for a tool... you could write a php script and place it in the root directory of your site.. or if you know how to SSH to the server you could code one in perl, C, python, or any language of choice. You would have to create a series of search strings, and think of variants that could be used, and be creative.. However, where your going to run into problems is there are tons of ways to scramble the actual code.. They could base64 encode it.. Then you have like base64_encode(str_rev($blah.$hah.$omfg.$imso.$cool)).. It could be converted to hex.. So it would take some investment on your part to think up every possible scenario.. or it could be obfuscated, or Zend or Ioncube encoded..

Why does this matter? I have seen many commerical software either fully protected, or at least any license checking/call home type stuff. So in any of those, your checking for "curl" and "fsockopen" will be useless. Then you have nulled scripts shared on the internet that has a backdoor allowing them access to your site. You know they are going to try to hide it some way and make it not readable... So finding a hackers backdoor is still tough.

Honestly, it isn't worth creating any software/script to handle this. Unless you want to actually make it a large project because your a developer and programmer. So if your not going to do that, then leave it up to the tools that already exist.

There is RootkitHunter and a few others. They run on linux, and you SSH to your server as root, and run them like any other linux program. If you have no clue about how to do it, usually your webhost will run it for you. You can ask them to do a backdoor scan on your server. Usually most hosts use RootkitHunter, but you can request them to use it. If they have something they think is better, then they will probably tell you they will use "xxxx". Maybe they would run both.. As long as you don't make it a habbit of doing it all the time, most places will do it for free (because its their server too! lol).

Anyways, run RootKit hunter or something like it to check for backdoors/viruses inside your websites and scripts you download. You can also try scanning them with an antivirus, like Avast, Bitdefender, AVG, and any other that is actually good lol. I personally use Avast. Then try NoVirusThanks and VirusTotal, they are an online scan service. They scan the file with a dozen antiviruses and show you the report..

If it passes all that, just give it a once over with Notepad++. Inspect header/index/body/default/main/config/footer php files.. Anything that would be on almost every page load, or is common. I don't expect you to look through every single file, but at least to a quick scan focusing on most common places one will try to put a backdoor.

If it passes all that, then it is probably clean.. However, honestly I rarely do more than a quick can. If my AV doesn't flag it when I download it, I give it a quick look at the code, view the source code on the page itself.. The rest of the stuff is if it came from a shady source but was the only only copy I could find, so I was desperate lol.

Lastly, running it on your PC using wamp, you can use a packet sniffer to see if theres any remote calls going on. Notice, this will not protect you from someone having a backdoor in the code.. A backdoor in the code, they could just put say "?a=shell" on the end of any URL on your site, or a specific page, and boom up comes a shell to hack you with.. Packet sniffing wont find that because the code doest call anything. But you could find call homes for license checks, hidden pixels, etc using a packet sniffer on your PC.

As for packet sniffers, there is Fiddler, WireShark, Commview, and a few other good ones. There may even be some chrome/firefox plugin/extension that can do it. I know there is one for debugging when using an IDE to program (like aptana studio, Netbeans, etc).


Hope that helps someone.

[weepaa]

Awesome cyberpunk, thanks a lot my friend :)