Jump to content

Security help Trojan.PHP-43


Johnnyboy69

Recommended Posts

Hi all. Was hoping for some advise on the following. A client has provided me with a website that has recently been hacked. Apparently, specifically the mail server aspect of the site has been influenced, causing the site to send out spam mail. The following Trojan was found in 4 files of the site: Trojan.PHP-43. Files that were influenced were mostly wp-conf.php and 2 mail php scripts. Does anyone have knowledge or experience with this Trojan or any tips that could help me resolve this? Also any pointers on aspects of the site that will need to be improved in order to prevent this I.E what weaknesses of a site is normally exploited for this kind of Trojan to breach it? Thank you in advance

Link to comment
Share on other sites

The issue isn't directly with the Trojan script itself, it's how the Trojan script was placed onto the server.

 

Some php code was either uploaded, remotely included, or injected into eval'ed content and then executed on the server or an admin password for an application/control panel/ftp was guessed and directly allowed php code to be put onto the server. The original loader script then read and put the Trojan script onto the server. You would need to find the exact method that was used to get the original loader code onto the server and close the hole that allowed it. The web server access log file and any application/control panel/ftp/sql query log files would be the best places to start looking.

 

Given the name of the Trojan, it's likely that the method of getting it onto the server involved a remotely included file in conjunction with php's register_globals being ON and an older php application that wasn't secure.

Edited by PFMaBiSmAd
Link to comment
Share on other sites

Files that were influenced were mostly wp-conf.php and 2 mail php scripts. Does anyone have knowledge or experience with this Trojan or any tips that could help me resolve this? Also any pointers on aspects of the site that will need to be improved in order to prevent this I.E what weaknesses of a site is normally exploited for this kind of Trojan to breach it? Thank you in advance

 

Don't use WordPress. It's notoriously bad with security, especially if it's not up-to-date and if you're relying on plugins to do most of the heavy lifting.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.