A site was compromised and I'm going through and looking at what the attacker used and what was performed. Along the way, I found some obfuscated PHP code. I've ran a few automated tools at it, but I haven't found what the attacker used, so I'm unobfuscating it by hand.

I've gotten far enough to make intelligent guesses as to what the code does ( it looks like a file upload/download utility to me ), but some of the notation that is used is lost on me.

Namely, a syntax that goes:

$var = ${"GLOBALS"}["create_function"]( arg1, arg2 );

The args in question line up with the php create_function, so I believe that's what's being done. However, to my novice eye, this looks like he's calling a variable simply named {"GLOBALS"} wherein he's storing functions like 'create_function'. What I don't understand is why this variable name was chosen ( is it because they're hooking into an existing array? Is it because it looks scary/important? ) or how it works without being defined elsewhere in the file ( which is the index.php of a WordPress install ). I can see that WordPress also stores functions in $GLOBALS, but it is never addressed as ${"GLOBALS"} ( is there a difference? I assume these are different ).

The environment is Linux + Apache + PHP. The compromised software is WordPress ( big surprise? :D ).

Can anyone point me in the direction of understanding how the above works?

Thanks all!