Ani-Shell, just another black-hat shell in PHP

Quoting the project’s home page:

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer , A simple Web-Server Fuzzer , a DDoser etc! This shell has immense capabilities and have been written with some coding standards in mind for better editing and customization

What does it do?

The features list is quite huge, Ani-Shell is a platform independent:

  1. Shell / Bind Shell
  2. Mass – Mailer
  3. Small Web-Server Fuzzer
  4. DDoser
  5. Mass Code Injector (Appender and Overwriter)
  6. Mail Bomber (With Less Spam detection feature)
  7. File manager (delete/rename/view)
  8. PHP Evaluator
  9. etc…

Does it work?

It depends, the Ani-Shell application uses a standard list of system functions like exec(), shell_exec(), system(), popen(), passthru(), or proc_open(). Most (secure) server should have these features disabled by default:

Warning: shell_exec() has been disabled for security reasons

In that case, malicious user can only use the PHP functionality, like unlink(), etc (this however can be in some cases hindered by a SAFE_MODE or UID/GID restrictions). This however, still allows to perform a DOS (UDP) attack, or bomb someone’s email account.

Why not to use it?

The Ani-Shell application can be used as a hacking tool. The most blatant hacks can be prosecuted with theft, fraud, destruction of property, forgery and even counterfeiting laws. In U.S. sentences range from a $5,000 fine for one instance of unauthorized access to twenty years in prison for multiple offenses involving multiple victims and damage greater than $1 million.

Can it be detected?

Well, if you’re a server admin, you can analyze incoming GET/POST requests, and look for Ani-Shell payload. This is however somewhat complicated operation, because Ani-Shell uses generic names for input parameters, which in turn can raise false alarms in case of other software hosted on a compromised server.

The only option is to create a filter, which scans the PHP file before it is executed by a PHP parser.

How to secure your server?

  1. disable program execution functions: exec(), shell_exec(), system(), passthru(), popen(), proc_open() in php.ini file.
  2. Double check your SELinux configuration.
  3. Use noexec flag when mounting file systems containing WWW accounts
  4. Use unprivileged user accounts to execute PHP scripts (CGI, FastCGI, etc.)
  5. Double check file permissions, use chattr +i when necessary.
  6. Configure server firewall accordingly (to block outgoing DOS attempts).
  7. Read server logs regularly

Leave a Reply