The story of one backdoor

Prehistory

There was once an old-old site. Parents refused him, and in the second ten years of existence, he came to us. He was a jungle of PHP code scattered across folders. All this was written at different times, using different crutches pattern , in different encodings (up to 3 encodings within one file). MVC, then, probably, was not yet known, and the developers did not hear about template engines, so you should not be surprised at the sudden

<? if (cond) { ?> 

in HTML markup. I spent more than one hour in an exciting search for the right

 <? } ?> 

The developers did not forget about backups: you could find index.php, index_old.php, index.php.bak in the root. But no matter what, this miracle worked. And what works - do not touch.

Outset

This story began when, on a sunny December morning in the morning, a promotion specialist was surprised to find links to alien sites in the footer. A little digging revealed 2 things:

1. it is sapa ;
2. the customer is perplexed.

The customer’s perplexity can be understood: he doesn’t see these links.

Investigation

Set the task - to find, understand and destroy. Having found the required place in the HTML markup of the included PHP file, we got the name of a function that does someone well. The search result for ~ 60k code files did not bring a positive result - such a function was not announced anywhere. I went through the enumeration of all files connected to the desired entry point. In the process of the eye clings to the file as follows:
')


Nothing is clear, but sincere thanks to the person who did not remove the annotation in the cap. I'm starting to google Zend Orcizer, rightly believing that it will lead to deciphering this trash. The search for a working decoder ends here . Particularly pleased captcha:



With some hemorrhoids associated with the prohibition of copying the result, I received the following:



I distrust complex regular expressions with disbelief, and then it goes out completely. I start to remember how preg_replace () works. And the more I read, the more I wonder. The regular expression itself must be the first parameter, and in the second, what is being replaced. I looked again at what was given. it turns out, in the string "x" is replaced by "# x # e" on the long piece. Moreover, the preg_replace () function uses the x and e modifiers . But let's not confuse ourselves: all that is placed between # is escaped, so x is actually what should be replaced in the “x” line , i.e. that's all, and the e modifier allows you to execute the resulting expression as PHP code. A close look at the replacement line makes it clear that most of it is noise.



If you remove the comments, you get

 @eval(base64_decode($I0)); 

At this point, I had to google the value "@" before calling the function . Next, thanks to the online decoders , I got the next batch of riddles.



Here I first saw the function chr () . Licked on

 $ll = @explode(chr(187) , @implode('', @array_map('trim', @file($ll)))); 

Googled array_map () . In general, a piece from the very original file encrypted by Zend Optimizer is used here. I really don’t know what kind of algorithm there is, but having made a permutation of the characters and taking the base64_decode () , which is already becoming familiar, I got the crypto function:



Then the team began to grow exponentially, and after several iterations the file reached 2k lines. The structure of the file after all this investigation, I left for tomorrow, but for now a couple of fun:


allows you to go unnoticed from the internal subnet terminals.


Interestingly, they immediately do the encryption there, or is it already someone who tried to spice for us?

Instead of an afterword

If you believe the time of file creation, the yard was harsh in 2009. Only now I even feel a little sorry for the time of those people who sewed all this up so hard, because I am sure that this process took more time than reverse. And after all, all of this would have been impossible if only the abstract of Zend Optimizer had not remained.