Return of the EXIF PHP Joomla Backdoor
Some people may not be aware, malware can live and run inside and from image files. We’ve seen this A LOT over the years in Joomla. Why joomla? It seems the vulnerable plugins and themes make adding malware via image files (PNG, JPG, GIF) useful.
This backdoor is a full shell hack and is generally added to the application.php core file which reads the EXIF data from the logo name and uses preg_replace to inject the code. It’s kind of clever, but not to difficult to identify if you are simply grep’ing image files (to grep binary files use the grep -a flag).