Got hit again, briefly. Was able to recover very quickly thanks to the Git repos I had set up previously. I found a couple extra backdoors, using some alternate obfuscation methods. Instead of the typical “
eval(base64_decode(” the attacker instead took an existing file, commented out all the code, and interwove a series of variable assignments.
I think it’s a good thing to know the enemy, and the more we know about both (a) what they are doing, (b) what they are CAPABLE of doing — the better we can both recover and detect / identify future attacks. I’ve decrypted their backdoor application and pasted it below (after the jump), with some commentary.
It looked like this: