De-obfuscate a backdoor PHP script

See this post:

Versatile Programmer’s Diary

This:  ‘\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e’ is hex encoded “create_function” string. This is a PHP function that creates a function dynamically from a string.  This is a backdoor.  What can it do, for example?

  • It can upload arbitrary files
  • It can execute mysql queries
  • Its can shell command

Others have detected the following as a Trojan function.

‘function letmein() {die’

Print Friendly, PDF & Email