\n<\/p>\n
As developers and system architects, we often secure our code but neglect the silent threats lurking in old directories or clever obfuscations. Recently, I caught a stealthy PHP backdoor ((random_name).php) embedded in a system.<\/p>\n
Instead of just deleting it, I decided to perform a full reverse engineering to understand exactly how it works, how it bypasses scanners, and how it maintains persistence on a server.<\/p>\n
Here is a quick summary of what I found during the analysis.<\/p>\n
\ud83d\udd0d The Anatomy of the MalwareAt first glance, the file was heavily obfuscated using multiple layers of encoding to look like harmless gibberish. However, the core mechanism relied on a classic but dangerous pattern:<\/p>\n
PHP\/\/ The malicious pattern used to execute hidden codeeval(base64_decode($_POST(‘encoded_payload’)));Key Techniques Used by the Attacker:Layered Obfuscation: The code utilized deep base64 nesting combined with string manipulation functions to evade signature-based security scanners.<\/p>\n
Hidden Tar Extraction: Deep inside the encoded strings, the malware contained a compressed TAR structure. Once triggered, it extracts a full-featured web shell into the server directories.<\/p>\n
SSH Persistence: The ultimate goal wasn’t just to execute commands once\u2014the script was designed to inject malicious public keys into the server’s ~\/.ssh\/authorized_keys file, granting the attacker permanent, direct SSH access without leaving a footprint in the web logs.<\/p>\n
\ud83d\udee0\ufe0f How to Protect Your SystemIf you suspect your server has been compromised, simply deleting the .php file might not be enough. You need to:<\/p>\n
Check your ~\/.ssh\/authorized_keys for unauthorized entries.<\/p>\n
Audit your system cronjobs to ensure the malware doesn’t have a re-infection script scheduled.<\/p>\n
Implement strict file permissions (chmod 644 for files, 755 for directories) and disable dangerous PHP functions like eval(), exec(), and passthru() in your php.ini.<\/p>\n
\ud83d\udcd6 Read the Full Deep DiveI have documented the complete step-by-step deobfuscation process, the code breakdown, directory structures, and full remediation steps on GitHub.<\/p>\n
\ud83d\udc49 See full analysis and source code breakdown here:<\/p>\n
https:\/\/github.com\/KhaiTrang1995\/Malware-Analysis-Reports-PHP-Backdoor<\/p>\n
Alternatively, you can view the repository directly:<\/p>\n
Tags: #php #security #devsecops #malware<\/p>\n