Backdoors are server-side malicious scripts which are intended to perpetrate malicious acccess to the server. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
This signature typically matches obfuscated files of a black hat SEO attack that calls its own malicious files "beans".
It has varios types of backdoors: beandoor - version of the FilesMan web shell. Bean uploaders - code that uploads malicious code from remote servers
and puts them into new files and injects them into legitimate files. On WordPress, it typically injects malware into wp-login.php, wp-config-sample.php
and wp-content/index.php. On Joomla sites it infects includes/framework.php, libraries/loader.php and templates/beeze/index.php. In addition, it saves malicious
code in .gif and .jpg files. For example, encoded spammy links can be foun in theme_logo.jpg. Other malicious files can be: .cache.jpg, .cache.php. wordpress.gif,
.xml, sidebar-k.gif, sidebar-bg.gif, header-bg.gif


PHP sites. Malware has specific code for WordPress and Joomla


This malware typically involved 5+ different types of malicious code so it may be challenging to identify all infected file. Infected and malicious files should be removed. Security hole should be identified and cleaned. You can contact Sucuri to help you with the infection removal.