PHP Obfuscation
The PHP Obfuscator is an online program that obscures a PHP script’s source code, making it difficult for humans to read and making its meaning difficult to understand.
When releasing PHP scripts, we frequently wish to prevent others from quickly figuring out the script’s precise purpose or from finding it difficult for them to utilize the code for their own scripts.
PHP Obfuscator does this by changing the names of the variables, interface, classes, and functions to random letters and numbers. Comments, blank lines, and spaces will be eliminated from the source code. Moreover, strings can be encoded (apart from “here docs” blocks), which might be helpful to prevent straightforward alterations to the script output.
Since the PHP server needs to be able to run the script even in the absence of other software installed on the server, PHP Obfuscator cannot completely obfuscate the source code.
The whole file, including the HTML elements, or the complete source code must be pasted for the script to be processed correctly. A PHP start and end tag must be included in the code block if you just want to process a section of the script.
https://www.gaijin.at/en/tools/php-obfuscato
Malicious entry points called web shells are employed by thieves to communicate with the server-side and send orders from a distance. These web-based, shell-like interfaces have evolved and gotten more covert in recent years, allowing them to get past internal security measures .
Staying out of their way.
The purpose of this backdoor is to provide further access to a website or system. When malicious code is run on a target system, it has the ability to “open doors,” granting the attacker access and enabling them to go beyond the standard authentication procedure.
We will examine a PHP web shell that uses steganography to make its payload difficult to detect and long-lasting. While there are other types of web shells that may be used, it all depends on the characteristics of the target system.
As shown, thieves uploaded malicious code onto the remote web server using well-known vulnerabilities in order to obtain code execution. After that, one may pivot into the internal network, open the internal doors, and then expose the internal assets. One can also read and write on the server filesystem and upload and download data.
Steganography to conceal the rear entrance
Researchers from Sucuri Team discovered a type of PHP web shell in February 2021 that makes use of CSS files. They discovered 56,964 seemingly empty lines that combined invisible tabs (0x09), spaces (0x20), and line feed (0x0A) characters.
which, upon conversion to the binary format, form a component of JavaScript code that may be executed.
During the investigation, a file called license.php highlighted the researcher’s attention due to a strange block of code found during his analysis. In detail, the license text is placed inside a multi-line PHP comment. Nonetheless, on the 134 a gap between the comments with PHP code is visible.
A peculiar piece of code discovered during the researcher’s examination drew his attention to a file named license.php throughout the inquiry. The licensing wording is specifically inserted within a multi-line PHP comment. However, there is a space between the PHP code comments on line 134.
This is not a novel method that criminals employ to evade capture. Although the PHP code is dangerous, it does not aim to execute code or provide any form of web shell payload.
Whitespace decoder
We’re going to isolate a tiny portion of the code, as shown below, to better understand how this piece of code functions.
To put it briefly, the code reads the file in eight-character chunks and changes the tabs (nine) and spaces (32), from ones to zeros. The result is then transformed using the chr() method into a decimal integer and a character. This method turns every octet of whitespaces into a string that can be seen. Finally, the last payload is executed and the full decode is done using the function “base64_decode(str_rot13(gzdecode(…)”.
Another method is to make a backup file with the file name “” (only a space) and then run it; this method is also included in the original PHP loader code. Using this method makes the file name less detectable and less noticeable in file listings. Execution ends with file deletion.
The last payload, or whitespaces, is found at the conclusion of the license.php file, as seen in Figure 4.
The full payload could be seen after running the script as previously described, which effectively turned the whitespaces into executable PHP code — the PHP web shell.
From here, using a little steganography, the web shell is run server-side, allowing hackers to get access to the remote server, run arbitrary commands, increase privileges, and more.
Dealing with whitespace obfuscation
Code is frequently hidden using obfuscation methods, which can make analysis and detection more difficult.
Numerous well-liked obfuscation techniques exist, and thieves are constantly searching for novel approaches to evade detection with long-lasting payloads. Through the use of steganography, criminals can
conceal the dangerous code even from human inspection since, when the target file is opened in a standard text editor, the malicious code consists only of a few lines of whitespaces.
Consequently, a number of actions may be taken to stop these sorts of attacks:
• Quick fixes for vulnerabilities in plugins and web servers
• Use fewer plug-ins to avoid third-party vulnerabilities.
- Network segmentation stops lateral movement; • File integrity monitoring; • Malware scanning and endpoint security software; • Server configuration review and hardening.
Obfuscating PHP Backdoors Using Legitimate Code Wrappers (quttera.com)