a great disclosure from burmese hackers community for finding a backdoor scrips at your server. this isn’t so complicated since we use to search the php function that used by a backdoor / rooting script like c99 , r57 or erne shell. if you have use this scripts that mentioned. i think you should read this folowing sintax at that scripts:

• exec — Execute an external program
• passthru — Execute an external program and display raw output
• shell_exec — Execute command via shell and return the complete output as a string
• system — Execute an external program and display the output

• proc_open — Execute a command and open file pointers for input/output
• eval — Evaluate a string as PHP code
• and an backtick operator (eg. echo ” `ls –R` “)

so what we have to do is search the mentioned strings. this is regural expression that we can use :

(`|exec|shell_exec|system|proc_open|passthru|eval)

that all, thanks to yehg community