How to Analyze and Reproduce an Nginx Backdoor: Step‑by‑Step Guide

Background

Recently a sample of an Nginx backdoor was obtained. The analysis aimed to reproduce the entire process and eventually uncovered the core backdoor code, which is shared here for research purposes only.

The backdoor works by embedding a signature string

lkfakjfa

in a cookie and specifying an IP and port for a reverse shell.

Sample Analysis

1. Using existing intelligence, the backdoor was located in

ngx_http_header_filter

. The binary contains symbol information.

2. The key string

lkfakjf

was found in the function.

3. After F5, a call to

connect_shell

was identified.

4. The

connect_shell

function implements a reverse shell using socket programming.

Backdoor Reproduction

1. Start the modified Nginx binary. Since Nginx binds port 80, multiple launches may fail due to port conflict.

2. Listen locally on port 9999.

3. Trigger the vulnerability with

curl

.

4. A shell is obtained via

nc

.

Principle Analysis

1. GDB and IDA reveal that the backdoor checks for the signature string in the cookie using the

ngx_http_request_t

structure. The relevant part of

ngx_http_header_filter

was examined.

2. Only the

header_in

portion of the structure is needed.

3. The

cookies

definition is located within

header_in

.

4. The full cookie structure is displayed.

5. Offsets within the structure (approximately 32 bytes) point to the stored signature string, likely residing in a

ngx_pool_t

structure.

Reproducing the Backdoor

1. Retrieve the cookie structure via

r->headers_in.cookies.elts

, then offset 32 bytes to obtain the signature string.

Explanation of the pointer arithmetic (64‑bit Linux only):

Convert

void *

to

long *

for

v1

.

Dereference to get

v2

.

Offset by 4

long

units (32 bytes) to reach the cookie string.

Important: The following code works only on 64‑bit Linux (stated three times for emphasis).

2. Configure Nginx with

--prefix=/root/nginx

and install missing dependencies.

3. Modify the generated

Makefile

inside

objs

to avoid compilation errors.

4. Build with

make

and install.

5. Run and debug the Nginx binary; the signature string is successfully extracted.

6. Using

printf

, the input signature string is displayed.

7. Add code for reverse shell (requires

nc

on the target system) and compile.

8. Change the signature string to

123456

and trigger the backdoor.

9. The reverse shell is received successfully.

Backdoor Detection

1. Local verification: use

grep

to search for suspicious "/bin/sh" strings in the running Nginx binary.

<code>$ which nginx | xargs grep "/bin/sh" -la</code>

2. Extract the Nginx binary and compare

ngx_http_header_filter

with the official source using IDA to identify modifications.

Threat Intelligence

MD5 hash of the backdoor sample:

ab498686505dfc645e14c6edad280da7