2 things I've done to them to try to catch all... 1. GZiped them all (you'll have to download them to a machine and look at the source yourself, taking your own precautions and YES, they will scan malicious in this setup as they are all trojans/backdoors) 2. changed their extension to .txt on the server
I'll also modify the server folder they are running on to disable php entirely later tonight so they can never execute it on it. When I reloaded them in my windoze box, my AV picked up on them in the cache as the trojans they are and disabled access to them in my browser's cache. Since I don't run php on the windoze box, there really was nothing to worry about and I could view the source in the browser. But if you didn't run AV on the system you looked at them at, installed them to your own local area and started playing with them, then you pretty much borked yourself. They are live code (hence why they were phps and should have just been source to view) and the only way to really pick them apart to view them. Considering that the code was phps and the server treated them as such never did my server execute them. Wolf Dan Parry wrote: >> -----Original Message----- >> From: Wolf [mailto:[EMAIL PROTECTED] >> Sent: 17 December 2007 16:00 >> To: [EMAIL PROTECTED] >> Cc: php-general@lists.php.net >> Subject: Re: [PHP] Securing your Sites >> >> Funny, they should all be PHPS, source only and my last check only did >> them on the source viewing. None of them are executable in that >> folder. >> >> You got it from elsewhere. > > I thought that too as I checked the site this morning and they all were .phps > > However, wandering back over there sees that they are all now .tar.gz files > and, upon scanning, do carry a malicious payload > > Dan > >> [EMAIL PROTECTED] wrote: >>> I want to personally thank you for 6 hours of work to remove the >>> PHP-Back-door Trojan, that download from your site to my PC while >> viewing that POS you call a help line. >>> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: >> 16/12/2007 11:36 >> > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 > 11:36 > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
