Obfuscated PHP Backdoor

Hi, I recently found a malicious PHP code [ LINK ] injected in some webpages, I tried to formate and deobfuscate it and understand how it works, It seems that is using Cookies to execute PHP code (Cookie: cipher=serialized+encrypted PHP code), I just want to know how they are making this kind of backdoors and how to generate this Cookie.

function cs_decrypt_phase($data, $key)
{
    $out_data = "";

    for ($i = 0; $i < strlen($data);) {
        for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }

    return $out_data;
}

This a readable function to decrypt it.

Hi i had the same code injected in one of my webpage. Do you have more information on how the code works?

Do you have the latest webshell?

Yes i ve bought a tool to generate the backdoor and payloads

tbh thats pretty “skiddy”, php webshells are easy to make and most of them are just Copy and Pasteable

There is no such thing as a “skiddy” project. its all about fun and being interactive. Webshells are fun to make and can provide alot of learning experience for php, and alot of webshell’s nowadays are private. The public webshells are always backdoored and send back a email if you do infect a server, so its worth making your own.

The easy part is about experience, your not just gonna call C easy to someone who never learned it before are you? - Satoshin

1 Like