Re: [PHP] Securing your sites against Script Kiddies
http://ambiguous.dnsalias.net/ what a nice collection you have. i also have some of this files on my server. i don't know how the files end up on my web page directory. That time i am using a shared server with 300+ website hosted on the same host. i do not have ssh or telnet access (ftp and cpanel-x to do administration). no matter how hard i tried to secure my code. few month later there will be another mysterious files and some of it no matter how hard i tried to delete. i cannot delete. i move to VPS then only feel more comfortable and control.
RE: [PHP] Securing your Sites
I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Securing your Sites
Funny, they should all be PHPS, source only and my last check only did them on the source viewing. None of them are executable in that folder. You got it from elsewhere. [EMAIL PROTECTED] wrote: I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Securing your Sites
-Original Message- From: Wolf [mailto:[EMAIL PROTECTED] Sent: 17 December 2007 16:00 To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Securing your Sites Funny, they should all be PHPS, source only and my last check only did them on the source viewing. None of them are executable in that folder. You got it from elsewhere. I thought that too as I checked the site this morning and they all were .phps However, wandering back over there sees that they are all now .tar.gz files and, upon scanning, do carry a malicious payload Dan [EMAIL PROTECTED] wrote: I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Securing your Sites
-Original Message- From: Wolf [mailto:[EMAIL PROTECTED] Sent: 17 December 2007 16:00 To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Securing your Sites Funny, they should all be PHPS, source only and my last check only did them on the source viewing. None of them are executable in that folder. You got it from elsewhere. Sorry, update Scanning with AVG reveals that c99-2, 3 and 4 report backdoor Trojan infections but it occurs to me that maybe AVG is just finding the malicious payload you are demonstrating? I'd like to thank you for supplying the source for these exploits... If I've made a mistake and compounded an incorrect situation I do apologise Dan [EMAIL PROTECTED] wrote: I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Securing your Sites
Wait, I'm confused. Did PHP send a virus to your computer without action on your part? That'd be scary. If you downloaded something, was the checksum not published for you to verify your download prior to unpacking it? That's always a warning worthy of apprehension. What was the PHP-Back-door Trojan exactly? Jeremy Mcentire Ant Farmer ZooToo LLC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Securing your Sites
2 things I've done to them to try to catch all... 1. GZiped them all (you'll have to download them to a machine and look at the source yourself, taking your own precautions and YES, they will scan malicious in this setup as they are all trojans/backdoors) 2. changed their extension to .txt on the server I'll also modify the server folder they are running on to disable php entirely later tonight so they can never execute it on it. When I reloaded them in my windoze box, my AV picked up on them in the cache as the trojans they are and disabled access to them in my browser's cache. Since I don't run php on the windoze box, there really was nothing to worry about and I could view the source in the browser. But if you didn't run AV on the system you looked at them at, installed them to your own local area and started playing with them, then you pretty much borked yourself. They are live code (hence why they were phps and should have just been source to view) and the only way to really pick them apart to view them. Considering that the code was phps and the server treated them as such never did my server execute them. Wolf Dan Parry wrote: -Original Message- From: Wolf [mailto:[EMAIL PROTECTED] Sent: 17 December 2007 16:00 To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Securing your Sites Funny, they should all be PHPS, source only and my last check only did them on the source viewing. None of them are executable in that folder. You got it from elsewhere. I thought that too as I checked the site this morning and they all were .phps However, wandering back over there sees that they are all now .tar.gz files and, upon scanning, do carry a malicious payload Dan [EMAIL PROTECTED] wrote: I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Securing your Sites
On Dec 17, 2007 11:27 AM, Jeremy Mcentire [EMAIL PROTECTED] wrote: Wait, I'm confused. Did PHP send a virus to your computer without action on your part? That'd be scary. If you downloaded something, was the checksum not published for you to verify your download prior to unpacking it? That's always a warning worthy of apprehension. What was the PHP-Back-door Trojan exactly? Here's what is going on, from start to finish, for anyone who may be concerned: 1.) Wolf's server was breeched (or attempted) by a couple of wannabes and script kiddies. 2.) He tar'ed and gZip'ed the malicious PHP scripts, after renaming them to .phps (source) scripts for you to view. 3.) When you download the gZip'ed tarballs, they contain the PHP source code in a .phps, as expected. 4.) Any scans of those files COULD and SHOULD indicate that they are exploits --- BECAUSE THEY ARE. 5.) Some of you may not have chosen to fully read the page telling you what they are prior to downloading. 6.) If Step 5 applies to you, that is YOUR FAULT, not Wolf's. I didn't find it all that difficult to read the two paragraphs or so prior to downloading. In fact, I find that I rather enjoy doing that so I know what the hell I'm downloading in the first place, before blindly downloading some code. ;-P -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Securing your Sites
ALL of them should report trojan if you download them to your cache but only should be an issue if you have PHP installed on that machine and then execute that code in your own php server. They are all trojans/back door. But if you view the source then you aren't going to bork yourself. As they are now all tar.gz the AV scanners should all catch them as trojans, so you will need to tell your scanner to all you to access that folder, save it to your local drive and view the source in your favorite text editor to look at them. Wolf Dan Parry wrote: -Original Message- From: Wolf [mailto:[EMAIL PROTECTED] Sent: 17 December 2007 16:00 To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Securing your Sites Funny, they should all be PHPS, source only and my last check only did them on the source viewing. None of them are executable in that folder. You got it from elsewhere. Sorry, update Scanning with AVG reveals that c99-2, 3 and 4 report backdoor Trojan infections but it occurs to me that maybe AVG is just finding the malicious payload you are demonstrating? I'd like to thank you for supplying the source for these exploits... If I've made a mistake and compounded an incorrect situation I do apologise Dan [EMAIL PROTECTED] wrote: I want to personally thank you for 6 hours of work to remove the PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php