Tuesday, 13 February 2007

Know About the New PHP 'Virus' Floating Around

Richard Thomas, in his blog informs you about a virus that he got through an e-mail. He explains that he got an e-mail from his host using a generic return address. The mail talked about security upgrades and how due to a new policy to help keep a secure data center he was required to upload and run one of two files in a zip attachment. The first was a PHP file the other was an ASP file, he informs.

Richard soon realized that it wasn’t from the host and was a sneaky virus. On further investigation, he found out that someone took a copy of a file and server management program called nsTView which by itself is harmless unless you leave it out in the wild with a empty or easy to guess password. If it is added in some code to e-mail various data to an e-mail address they could use to compromise the server further, he says.

He explains how the ‘hacker’ was successful in hacking the information. He says the hacker used the strtr function to encrypt it, then base64_encoded it. The hacker stuck it at the end of a PHP file after the closing PHP tag. He then used the base64_encoded file and eval and reverse base64/strtr so that the script would open itself up. He read the last line, base64_unencode, strtr ‘unencrypt’, then evals that string, he initiates.

He gives the following two pointers to keep off from hacks:

• base64_encoding and other tricks are not true protection for source code, even a semi-smart program can reverse engineer such things
• Never ever blindly run code from unknown sources, question code from known sources and if you still have hairs sticking up take some time to read the source