Website backdoors are stealthy mechanisms designed to bypass normal authentication to allow attackers persistent access to a website’s backend, long after the initial breach. This continued access facilitates repeated infections, even if the original malware is cleared. Detecting backdoors poses a significant challenge due to their diverse formats and the variety of specific tasks they are programmed to perform within a compromised website or server environment.
Backdoor types:
- Remote Code Execution (RCE) Backdoors: Distinct from vulnerabilities that enable remote code execution, RCE backdoors permit attackers to run commands on the infected environment. These commands often come embedded in innocuous-looking GET/POST parameters or COOKIE values, making the backdoors incredibly succinct—sometimes less than 100 bytes—and difficult to spot within legitimate files. Their simplicity and efficacy make them favored tools among attackers, enabling unauthorized activity without the website owner’s knowledge.
- Uploader: This type of backdoor enables attackers to upload harmful files directly to the website’s filesystem (provided they have the correct parameters, paths, or credentials).
- Web shell: Malicious web shells typically include functionalities that give attackers a comprehensive overview of the compromised environment, such as server operating system details, PHP versions, and active services. Once installed, a web shell can facilitate database connections, data manipulation, PHP code execution, port scanning, file management, and other malicious activities.
- CMS specific backdoors: These types of backdoors are tailored to work specifically in a given CMS environment. They usually come as fake Joomla extensions or injections that either create malicious admin users or provide attackers with unauthenticated access to the admin dashboard. The most of them are specifically targeting WordPress, but Joomla has also specific backdoors targeting this CMS.
According to Sucuri's report, in 2023, 49.21% of compromised websites were discovered to contain at least one backdoor at the time of infection.
