Key Techniques Used by the Attacker:
Layered Obfuscation: The code utilized deep base64 nesting combined with string manipulation functions to evade signature-based security scanners.
Hidden Tar Extraction: Deep inside the encoded strings, the malware contained a compressed TAR structure. Once triggered, it extracts a full-featured web shell into the server directories.
SSH Persistence: The ultimate goal wasn't just to execute commands onceβthe script was designed to inject malicious public keys into the server's ~/.ssh/authorized_keys file, granting the attacker permanent, direct SSH access without leaving a footprint in the web logs.
π οΈ How to Protect Your System
If you suspect your server has been compromised, simply deleting the .php file might not be enough. You need to:
Check your ~/.ssh/authorized_keys for unauthorized entries.
Audit your system cronjobs to ensure the malware doesn't have a re-infection script scheduled.
Implement strict file permissions (chmod 644 for files, 755 for directories) and disable dangerous PHP functions like eval(), exec(), and passthru() in your php.ini.
π Read the Full Deep Dive
I have documented the complete step-by-step deobfuscation process, the code breakdown, directory structures, and full remediation steps on GitHub.
π See full analysis and source code breakdown here:
https://github.com/KhaiTrang1995/Malware-Analysis-Reports-PHP-Backdoor
Alternatively, you can view the repository directly:
Tags: #php #security #devsecops #malware