How does this giant regex work?

Question

I recently found the code below in one of my directories, in a file called doc.php. The file functions or links to a file manager. It\'s quite nicely done. Basi

Answer 1

Q: What possible ways could this have gotten on my site / directory?

A: It probably did not got to / when it first got injected. A single 777 directory on your host would do, and so would a slew of other security holes, including compromised FTP access, trojans, blog-engines plug-ins, or cross-pollination.

The PHP initialization process of this backdoor starts by scanning the host for anti-virus utilities. Here is the specific list:

kav nod32 bdcored uvscan sav drwebd clamd rkhunter chkrootkit iptables ipfw
tripwire shieldcc portsentry snort ossec lidsadm tcplodg sxid logcheck
logwatch sysmask zmbscap sawmill wormscan ninja

Since this is an obfuscation war, wouldn't it make sense to somehow obfuscate the name of these tools, or hide their very presence, as to not let malign hackers annihilate them from the get go?

Danger! A much more compact, equally evil remote access tool is described in details at http://thegothicparty.com/dev/article/server-side-virus-rat/.

Unlike the doc.php backdoor, it is meant to be remote controlled. Same hazards and methods of eradication apply.