Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.
Backdoors as well as other malware types are often checking who is accessing them. This way, they're protecting themselves but also decrease the risk of being found either by various security bots and scanners or also by humans (using such check the script runs the payload, e.g. webshell only for certain IP addresses).
Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).
Cleanup is done by deleting the malicious code from the file, or replacing it with a fresh version. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
$stop_ips_masks = array(
"66.249.[6-9][0-9].[0-9]+", // Google NetRange: 18.104.22.168 - 22.214.171.124
"74.125.[0-9]+.[0-9]+", // Google NetRange: 126.96.36.199 - 188.8.131.52
"65.5[2-5].[0-9]+.[0-9]+", // MSN NetRange: 184.108.40.206 - 220.127.116.11,
"74.6.[0-9]+.[0-9]+", // Yahoo NetRange: 18.104.22.168 - 22.214.171.124