:PHP Obfuscation and Backdoors – Part 1:
When browsing through the root web directory, we found that .htaccess was modified. The .htaccess was pointing to “common.php”. We jumped right into analyzing the common.php and found the following.
Good chance this is bad news right? Notice the split up of the base64 function. Let’s decode all of the data and see what we get.
It appears we have another stage of encoding. At first glance it looks like some more Base64 but getting to the end of the string we noticed something a bit off.
The “^” caught our eye and needed to be investigated. We googled around and discovered this is PHP performing an XOR across the two strings of data. For more information click here and check out php.net’s page about this functionality. So how can we pull the information specific to the xor out? We just dumped the information into a variable in php then printed the info seen below.
More decoding… Now we have data that needs to be gzinflated and base64’d. Below is a modified example of how to run this in php.
After running this, we should see the following.
There we have it! This specific page has been compromised for some time (we are thinking years based on the artifacts creation dates) so none of this may be very new but we hope it helps with getting a feel for what you may be looking for as well as how to identify what is going on.
- Do you see functions broken up into pieces? For example the ba”.”se64 function from this sample.
- Would there be a specific reason your code is XORing data with ^?
- How many stages of obfuscation/encoding are there?
This ssl-check and ssl-backup domains have been around the block if you do some digging. Luckily, Google appears to be catching the sites that are compromised and identifying them as “hacked”. After our investigation here on common.php, we decided to take a quick pass across the rest of the php pages on the site. In our next article, we will talk about the backdoors we identified which include both obfuscated and non obfuscated files.