How I Discovered and Deobfuscated a Hidden PHP Backdoor on My Server

As developers and system architects, we often secure our code but neglect the silent threats lurking in old directories or clever obfuscations. Recently, I caught a stealthy PHP backdoor ([random_name].php) embedded in a system.

Instead of just deleting it, I decided to perform a full reverse engineering to understand exactly how it works, how it bypasses scanners, and how it maintains persistence on a server.

Here is a quick summary of what I found during the analysis.

🔍 The Anatomy of the Malware
At first glance, the file was heavily obfuscated using multiple layers of encoding to look like harmless gibberish. However, the core mechanism relied on a classic but dangerous pattern:

PHP
// The malicious pattern used to execute hidden code
eval(base64_decode($_POST['encoded_payload']));
Key Techniques Used by the Attacker:
Layered Obfuscation: The code utilized deep base64 nesting combined with string manipulation functions to evade signature-based security scanners.

Hidden Tar Extraction: Deep inside the encoded strings, the malware contained a compressed TAR structure. Once triggered, it extracts a full-featured web shell into the server directories.

SSH Persistence: The ultimate goal wasn't just to execute commands once—the script was designed to inject malicious public keys into the server's ~/.ssh/authorized_keys file, granting the attacker permanent, direct SSH access without leaving a footprint in the web logs.

🛠️ How to Protect Your System
If you suspect your server has been compromised, simply deleting the .php file might not be enough. You need to:

Check your ~/.ssh/authorized_keys for unauthorized entries.

Audit your system cronjobs to ensure the malware doesn't have a re-infection script scheduled.

Implement strict file permissions (chmod 644 for files, 755 for directories) and disable dangerous PHP functions like eval(), exec(), and passthru() in your php.ini.

📖 Read the Full Deep Dive
I have documented the complete step-by-step deobfuscation process, the code breakdown, directory structures, and full remediation steps on GitHub.

👉 See full analysis and source code breakdown here:

https://github.com/KhaiTrang1995/Malware-Analysis-Reports-PHP-Backdoor

Alternatively, you can view the repository directly:

KhaiTrang1995 / Malware-Analysis-Reports-PHP-Backdoor

Malware-Analysis-Reports-PHP-Backdoor

🔴 Malware Analysis Report: [random_name].php

Classification: PHP Web Shell (Backdoor)
Risk Level: CRITICAL
Disguise: "PHP File Manager ver 1.5"
File Size: ~82 KB / 2,010 lines
Date Analyzed: 2026-05-16

Caution

DO NOT EXECUTE THIS FILE. It is a fully weaponized PHP web shell capable of complete server takeover. This document is for forensic analysis and educational purposes only.

---

Table of Contents

1. Executive Summary
2. Capability Matrix
3. Detailed Technical Analysis
   • 3.1 OS Command Execution (Remote Terminal)
   • 3.2 Database Administration & Exfiltration
   • 3.3 Arbitrary PHP Code Execution
   • 3.4 File System Operations
   • 3.5 Web Proxy / Network Pivoting (SSRF)
   • 3.6 Recursive Reconnaissance & Credential Harvesting
   • 3.7 Archive Manipulation
4. Anti-Forensics & Evasion Techniques
   • 4.1 Timestomping
   • 4.2 Self-Modification (Polymorphic Behavior)
   • 4.3 Single-File Encapsulation
   • 4.4 Disabled Function Bypass
   • 4.5 Cookie-Based Configuration Persistence
5. Authentication Mechanism
6. Indicators of Compromise (IOCs)
7. MITRE ATT&CK Mapping
8. Remediation Guidance
9. Execution Flow Diagrams
   • 9.1 Main Request Router
   • 9.2 Terminal Command Execution Cascade
   • 9.3…

View on GitHub

Tags: #php #security #devsecops #malware