Wednesday, 18 November 2015

php malware

A php file was uploaded to my anonymous ftp. An anonymous ftp allows anyone who wants to, to upload files to my server. I read the file, to see what it does. The uploader is hoping that A) I'm running linux (I am) and B) I'm running php (I'm not) and C) he can access the file as soon as it's uploaded (he can't).

Uploads to my ftp, are not visible or accessible to the uploader.

I get one of these every few weeks; it's not as common an attack as an emailed file, but it isn't uncommon. The fact that the attack is being made, is evidence that it must succeed, at least occasionally.

Here's what you should do if you're running an anonymous ftp.

1) Don't allow web access to the place that's uploaded to.
2) If you move an uploaded file to a place that's web-accessible, look at it first. And remember that even if it has a file extension that suggests that it isn't php, it still might be.

Also, when any file is uploaded to my ftp, it's renamed on upload.

I checked it with VirusTotal. It was first uploaded to them three years ago, and even now, 20 out of 54 products don't flag it.

SHA256 38fe65d93a95e9f4f051c5a522bd99b3084a70cf61fab64e01061b4752e629c6

No comments:

Post a Comment