Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Backdoor: Contact1

2012-05-24  by  Daniel B. Cid
Magno (from our support team ) found this pretty backdoor on a compromised site. As we keep saying, just searching for evals + base64_decode wouldn't cut anymore.

*If you enjoy decoding backdoors and are looking for a job, please try this one and send the results to dcid@sucuri.net :)
Yes, that's all for the backdoor.
Another interesting backdoor:


You may not be aware, but the preg_replace function with the "e" parameter, allows full code execution (eval). When you transform the hex chars, you get "eval ( gzinflate ( base64_decode ( " which runs all the code in the long block of characters inside the preg_replace.