Recently when i did a normal check one of my client website which is a wordpress one, I did found a suspicious file(Well Unsuspicious – but its size made me to take a look ) which contains a backdoor in it. It seems like a normal php file. Even it was named cgi.php (Normally this would confuse a normal user). BTW i decided to take a look at it. When I try access this file ITT WAS ASKING FOR A PASSWORD.
It was Obfuscated. I ran it through a PHP DeObfuscator. After the DeObfuscation i get this. Googled it with some words from this file, i found this is a php backdoor which grants full access to cracker. But the decoded script throws some error (Due to the improper decoding). But I’ve tried to fix them (not really, throwing the error prone regions out and also the authorization part ). I see there is a md5 hashed variable named $auth_pass which holds the password. When i enter the password it tries to hash the input and tries to match it. but decrypting that MD5 lead me nowhere.:(
Fixing the errors in backdoor landed me in the admin area.(See the gist here)
I was using the XAMPP with php 5.6 in windows. Some operations were not working may be the decoder didn’t do well. It was working well when i tested it in a linux environment, I could traverse, and spawn consoles, write files, upload files and pretty much everything. It was probably came in through some input fileds in wordpress. Any way i’ve deleted all those files.
the filenames are confusing for a newbie admin. like cgi.php, web-info.php etc… but they share similar size. So It was easy for me to throw them out, but those files were infected all over my directories. eating up all resourses, DoS, etc…
Had a hard time with my clients for the first time. Thanks to Jomit Jose for helping me… never forget you
Here is the somewhat functioning version of the php backdoor