Remove PHP Backdoor Trojan

TL;DR

A PHP backdoor is serious. This guide helps you find and remove it from your local machine to regain control and security.

1. Stop the Web Server Immediately

The first thing to do is prevent further damage. Stop Apache, Nginx, or whatever web server software you’re using. How you do this depends on your operating system:

• Windows: Open Services (search for ‘Services’ in the Start menu). Find your web server (e.g., Apache2.4) and right-click > Stop.
• Linux (systemd): Open a terminal and use sudo systemctl stop apache2 or sudo systemctl stop nginx (replace ‘apache2’/’nginx’ with your server name).

2. Back Up Your Website Files (Carefully!)

Before you start deleting anything, make a backup. Important: Don’t just copy the entire website folder. The backdoor will be copied too! Instead:

• Copy only configuration files (e.g., wp-config.php for WordPress, settings.php for Drupal).
• If you have a database, create a separate database backup using phpMyAdmin or your hosting control panel.

Store the backups on a different drive or computer – not on the infected machine.

3. Scan Your Files

You need to find the malicious code. Here are several methods:

a) Manual Inspection (Time-Consuming but Effective)

1. Look for recently modified files: Use your file manager or a command line tool to sort files by modification date. Focus on PHP files (.php, .inc, etc.).
2. Search for suspicious code: Open the most recently modified files in a text editor and look for:
   • Base64 encoded strings (often used to hide commands).
   • eval() function calls – these are very common in backdoors.
   • Unusual or unexpected functions like system(), exec(), shell_exec(), passthru().
   • Code that attempts to connect to external websites (the attacker’s server).

   b) Using a Scanner

   Several tools can help automate the process:

   • rkhunter (Linux): Install with sudo apt install rkhunter and run sudo rkhunter --checkall.
   • ClamAV (Cross-Platform): Install and scan your website directory.
   • Online scanners: Websites like VirusTotal can scan individual files or small archives, but be cautious about uploading sensitive data.

   Example rkhunter output snippet:

   Found file /var/www/html/wp-content/plugins/some-plugin/malicious_file.php - possible backdoor!

   4. Remove the Backdoor

   Once you’ve identified the malicious files:

   1. Delete them: The safest option is to delete the infected files completely.
   2. If deletion isn’t possible (rare): Carefully edit the file and remove only the malicious code. This requires advanced knowledge and carries a risk of leaving remnants behind. Do not attempt this unless you are confident in your abilities.

   5. Check Your Database

   Backdoors can sometimes inject malicious code into your database.

   • Inspect tables: Use phpMyAdmin or a similar tool to examine the contents of your database tables, especially those related to posts, pages, and options.
   • Look for unusual entries: Search for suspicious scripts or encoded data within table fields.
   • Restore from backup (if clean): If you have a clean database backup created before the infection, restore it.

   6. Update Everything

   Outdated software is a major security risk.

   • Update your CMS: WordPress, Drupal, Joomla, etc., to the latest version.
   • Update plugins and themes: Remove any unused or outdated plugins/themes.
   • Update PHP: Use the latest stable version of PHP.
   • Update your operating system: Install all available security patches.

   7. Change Passwords

   The attacker may have stolen your passwords.

   • Change passwords for:
   • Your web server control panel.
   • Your database user accounts.
   • Your CMS administrator account.
   • Any FTP or SSH accounts.

   8. Rebuild .htaccess (Apache)

   Backdoors can modify your .htaccess file to redirect traffic or hide their presence.

   # Restore from a backup if you have one. Otherwise, create a new default .htaccess file for your CMS.

   9. Monitor Your Website

   Keep an eye on your website for any signs of reinfection or unusual activity.

   • Check server logs: Regularly review your web server access and error logs.
   • Use a security plugin: WordPress plugins like Wordfence or Sucuri Security can provide ongoing protection.