

Non-alphanumeric Backdoors - cubictwo
http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html

======
Globz
So my grep patterns list should now look like this?

@$_[]=@!+_ apache_child_terminate assert base64_decode bzopen chgrp chmod
chown copy create_function curl_exec curl_multi_exec edoced_46esab eval exec
exif_imagetype exif_read_data exif_thumbnail extract fclose file file_exists
file_get_contents file_put_contents fileatime filectime filegroup fileinode
filemtime fileowner fileperms filesize filetype fopen fsockopen ftp_get
ftp_nb_get ftp_nb_put ftp_put get_meta_tags getimagesize glob gzfile gzopen
hash_file hash_hmac_file hash_update_file highlight_file image2wbmp
imagecreatefromgif imagecreatefromjpeg imagecreatefrompng imagecreatefromwbmp
imagecreatefromxbm imagecreatefromxpm imagegd imagegd2 imagegif imagejpeg
imagepng imagewbmp imagexbm ini_set iptcembed is_dir is_executable is_file
is_link is_readable is_uploaded_file is_writable is_writeable lchgrp lchown
link linkinfo lstat mail md5_file mkdir move_uploaded_file parse_ini_file
parse_str passthru pathinfo pcntl_exec pfsockopen php_strip_whitespace phpinfo
popen posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid
preg_replace proc_close proc_nice proc_open proc_terminate putenv python_eval
read_exif_data readfile readgzfile readlink realpath rename rmdir sha1_file
shell_exec show_source stat str_replace symlink system tcpflood tempnam
tmpfile touch udpflood unlink

~~~
lambda
Actually, you don't even need grep, just find:

    
    
      find . -name "*.php" -exec printf "PHP found, you're probably owned: " \; -print -quit
    

Sorry, I know that "PHP is insecure" jokes are overdone, but that enormous
blacklist that you have to find vulnerabilities seemed like it could be
simplified a bit.

~~~
ars
Can we please leave stupidities like this off of HN?

PHP is a programming language - it would be a pretty useless programming
language that can't do anything.

Go read that list - they are all useful functions. You would be hard pressed
to make a usable language without them.

------
eknkc
An encoder (obfuscator?) to create similar code (alphabet: "()[]{}+!") in
JavaScript:
[http://patriciopalladino.com/files/hieroglyphy/](http://patriciopalladino.com/files/hieroglyphy/)

~~~
nwh
For even more fun, JavaScript can use unicode characters as variable names,
provided the first is alphanumeric. I'll let you use your imagination with
that one.

~~~
jimktrains2
The first char has to be a _letter_, $, or _. Letter can be one of the letter
classes for any language.

ಠ_ಠ is a valid javascript identifier.

[http://stackoverflow.com/a/9337047/35338](http://stackoverflow.com/a/9337047/35338)

------
daGrevis
What are the most effective and sneaky backdoor mechanisms you know? I'll be
forced to implement a one myself so it better be good.

~~~
EthanHeilman
Backdooring Chips by Altering Silicon Doping [http://sharps.org/wp-
content/uploads/BECKER-CHES.pdf](http://sharps.org/wp-content/uploads/BECKER-
CHES.pdf)

------
vezzy-fnord
Although a pretty good feat, I thought the Joomla! backdoor in the GPL was
sneakier and more interesting.

These characters should trigger an alarm if caught by eye in a source file.

