Obfuscated PHP Backdoor

full · April 2, 2021, 1:41pm

Hi, I recently found a malicious PHP code [ LINK ] injected in some webpages, I tried to formate and deobfuscate it and understand how it works, It seems that is using Cookies to execute PHP code (Cookie: cipher=serialized+encrypted PHP code), I just want to know how they are making this kind of backdoors and how to generate this Cookie.

function cs_decrypt_phase($data, $key)
{
    $out_data = "";

    for ($i = 0; $i < strlen($data);) {
        for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }

    return $out_data;
}

This a readable function to decrypt it.

Humairaa_Nunhuck · April 9, 2021, 7:56am

Hi i had the same code injected in one of my webpage. Do you have more information on how the code works?

webshell · April 14, 2021, 10:54am

Do you have the latest webshell?

full · April 15, 2021, 6:12pm

Yes i ve bought a tool to generate the backdoor and payloads

system · October 26, 2025, 7:47pm

This topic was automatically closed after 1668 days. New replies are no longer allowed.