How does this giant regex work?

Question

I recently found the code below in one of my directories, in a file called doc.php. The file functions or links to a file manager. It\'s quite nicely done. Basi

Answer 1

This is not entirely a regular expression. The regex is /.*/, which basically means "match everything". The /e Modifier however eval()'s the code in the next parameter. In fact this is a way for someone to hide code. The following proof that this is a backdoor, and you must remove it immediately. Your system maybe compromised further.

This is what the backdoor looks like when it is accessed:

the hex part of the code:

\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28

is acutally: eval(gzinflate(base64_decode(

This is the code will print out the source code for this backdoor. However i would not execute the resulting PHP code, unless it is on a disposable virtual machine.

How to lock down your server:

There are a number of ways this could have gotten on your site. Most likely you have been hacked using Exploit Code because one of your web applications is out of date. Try updating everything, including libraries. Change passwords for everything, especially FTP, although should be using sftp or ftps.

If you control your MySQL server make sure your web application's MySQL user account is not root, and make sure you remove MySQL FILE privileges from the account. You should also go a step further and do a chmod 500 -R /path/to/web/root and do a chown www-data -R /path/to/web/root www-data is a common user for apache, but it might be differnt for your system try running to figure out the user account.

Next run phpsecinfo. Modify your php.ini or .htaccess and remove all RED, and try and remove as much yellow as possible.