PHP Server Botnet?

If you find a site with a file inclusion or upload vulnerability that lets you upload a web shell, and then you have a web shell on it and there are some files or directories where you have rwx permissions, could you somehow turn that web server into a bot for a botnet? I have heard of IRC bots like EggDrop or Tsunami (old, I know), but I wonder if there is something web or PHP-based that could do something similar. After all, if you have a web shell on a site, that means it's running PHP.

Just curious for research purposes, not anything malicious. The only way to learn how to secure stuff is to learn how it gets pwned.

It might be a trap.

>>2
Trap? I'm learning about security. That's like saying it's a trap to post about XSS or CSRF. This stuff is perfectly legal to learn about. There are books you can buy on Amazon, or tutorials you can watch on Youtube about it.

Anyway, I looked up HTTP botnets and maybe that's what I'm looking for. But maybe not

securityfag here. OP, you need to understand what your're are doing. so let us begin with simple things:

what do you get when you upload a PHP web-shell to a server? well, PHP is a server-side language so you get code execution on this server. such code execution is triggered when you navigate to your're are uploaded file. it can be a web shell, but it can be anything that the PHP language allows. as PHP allows not just Turing complete computation but also 'shelling out' to system's command-line, you can more or less do anything within the context of the current user.

is this enough to have a botnet? one one hand: probably, as DDoS and spambots don't really require much privileges. just drop a shell and a botnet slave script to the server and force the shell to run it. on the other hand: probably not due to the existence of sysadmins. a sysadmin might not know much about PHP, but a competent one will put the webserver in a separate user account, and will notice that such account is spawning suspicious processes, and after investigation will find weird files you've dropped. so you might try to think about obfuscating your're are actions a bit - but doing it well will require privilege escalation (getting rootkit would be best).

now, your're are question about IRC: that's an entirely different topic, the topic of C&C (or 'C2'): or 'how do I control my botnet remotely'. a botnet slave written in PHP can receive commands from IRC, as long as you can write (or copypaste) a PHP IRC client. it also can (and should) receive commands from other sources.

the point of IRC bots was that managing your're are botnet by scripting telnet/ssh connections would look suspicious to a sysadmin analyzing traffic, but IRC was something everyone used so IRC traffic was usually whitelisted on the firewall and didn't receive admin attention. nowadays, IRC is a niche thing and usually not installed on the servers, so the sysadmin will probably assume that it's a botnet from the start. nowadays, the common way to receive commands in a non-suspicious way is different:
1. you make a simple HTTPS server that returns current command (maybe with a REST API or something)
2. you include a client in your're are botnet: it connects to the server, reads the command and acts on it
3. instead of hardcoding IPs, you write a domain-generation algorithm (DGA): your're are client will deterministically generate a domain name based on date/time and connect to it. you register those domains and depneding on the date you point them to your're are server/

>>4
thanks for the info, very fascinating stuff

you register those domains and depneding on the date you point them to your're are server/

how would you do that without doxxing yourself? you need to provide payment info and shit
maybe people would just go to dark web ``carders'' or something?

and what if someone reverse engineers the DGA and then registers the domains used in the future? they could sinkhole it

also where do traffic distribution systems come into play? is that like, you get someone to click on a link, and then the TDS chooses which payload is suitable based on their user agent? and you use a portable executable packer or something to try and get around anti-malware software signatures? but that's different from the web shell and botnet stuff I'm talking about, now getting off-topic into other malware stuff

>>5
payment is definitely the difficult part if your're are doing illegal shit. if your're are just pentesting, there's no need to worry because as long as you use domain privacy, you only need to worry about law enforcement here. in a legal pentest, the blue team will have no way of accessing your're are payment data.

an interesting way of doing things could be a DGA that generates domains on free hosting services

as for DGA - yeah, that's what malware analysts are doing. finding the domains and blocking them, or possibly registering if their're are not registered yet. that's why malware is often heavily obfuscated, to make reversing take longer.

from a defensive perspective, if DGAs generate gibberish-looking domains, like sdf908sd9f87sdf8sd.com or whatever, you could just block any DNS lookups that go to long strings that don't have any dictionary words in them, right?

i can't think of any legitimate use-cases for base64-looking domains

can you block domains based on regular expression?

For a local VM-only research botnet, I don't want (or need) to actually pay mone to register domain names, right? I could just use /etc/hosts and redirect the domains to a server that way. But can you do something like /etc/hosts but with regex instead of hardcoding every single literal domain name?

>>9
Host a local DNS server, it is easy to do.

>>8
CDNs often have domain or subdomain names that look like random shit. so do DNS servers themselves. also, it's not difficult to make a DGA that uses English words. in fact, many of them do

>>11
Do you know of any real-world DGA examples (used by botnets)? I want to try and see if there are any common themes among them for pattern matching.

>>12
https://github.com/andrewaeva/DGA

bump