PHP Obfuscation and Backdoors – Part 1

by Destruct_Icon
Categories: Coding, PHP
Tags: No Tags
Comments: Leave a Comment

:PHP Obfuscation and Backdoors – Part 1:

We are no strangers to a bit of obfuscated code. If you aren’t familiar with obfuscation, check out some of the great videos on deobfuscating Javascript by 8bits which can be accessed here. Recently we were presented with an opportunity to assist another security researcher with a few potentially compromised pages to help confirm their suspicion. When certain keywords were used or when accessed with specific user agent strings, the website would forward the user from the page to a different domain used for the sales of questionable content.

When browsing through the root web directory, we found that .htaccess was modified. The .htaccess was pointing to “common.php”. We jumped right into analyzing the common.php and found the following.


Good chance this is bad news right? Notice the split up of the base64 function. Let’s decode all of the data and see what we get.


It appears we have another stage of encoding. At first glance it looks like some more Base64 but getting to the end of the string we noticed something a bit off.


The “^” caught our eye and needed to be investigated. We googled around and discovered this is PHP performing an XOR across the two strings of data. For more information click here and check out php.net’s page about this functionality. So how can we pull the information specific to the xor out? We just dumped the information into a variable in php then printed the info seen below.


More decoding… Now we have data that needs to be gzinflated and base64’d. Below is a modified example of how to run this in php.


After running this, we should see the following.


There we have it! This specific page has been compromised for some time (we are thinking years based on the artifacts creation dates) so none of this may be very new but we hope it helps with getting a feel for what you may be looking for as well as how to identify what is going on.

  • Do you see functions broken up into pieces? For example the ba”.”se64 function from this sample.
  • Would there be a specific reason your code is XORing data with ^?
  • How many stages of obfuscation/encoding are there?

This ssl-check and ssl-backup domains have been around the block if you do some digging. Luckily, Google appears to be catching the sites that are compromised and identifying them as “hacked”. After our investigation here on common.php, we decided to take a quick pass across the rest of the php pages on the site. In our next article, we will talk about the backdoors we identified which include both obfuscated and non obfuscated files.

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday