Aaron Saray has a post to his site sharing the "anatomy of a PHP hack" - the evidence that he found and pulled apart based on a recent hack he experienced.
It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.
He starts with the code he found in the hacked website, obfuscated to hide the true intent and how he disassembled it to find the true intent. He walks through the method he used to reverse the code ultimately ending up with a simple call to base64_decode a value that comes in from a $_POST
request.