jlpeifer Posted January 24, 2020 Share Posted January 24, 2020 I maintain a Debian-based Web server. It runs DirectAdmin for shared hosting purposes. I perform backups of my clients' data and download those backups (tar.gz format) to a local computer for safe-keeping. The local computer storing the backup files runs ESET Internet Security software. Yesterday during a routine system scan ESET threw a warning and flagged a PHP file that was located inside one of those backup files. It was identified by ESET as "PHP/PhpShell.NBD trojan". The file itself is called defauls.php and contains 1 line of code that is 175 characters long. I'd like to share the contents of that file here, but my gut says I'll get wrist-slapped for sharing code that might be malicious. Can anyone advise how I can get help interpreting this PHP file and what danger it might pose (I've located it on my Web server and have isolated it)? Quote Link to comment Share on other sites More sharing options...
requinix Posted January 24, 2020 Share Posted January 24, 2020 We won't slap your wrist, but we'd prefer you didn't post it and would remove it if you did. To help not spread those things around, you know? It does sound like malware, but it's possible it is merely obfuscated code (like if it came with a paid license and the author didn't want anyone to mess with it). Does the file say anything about eval or base64_decode or gunzip/deflate? Does it look the slightest bit readable? You can PM it to me if you'd like me to confirm. If it is malware then obviously you need to contact your client so they can begin damage control. Hopefully the file hasn't been there for long. It would help them if you could check webserver access logs for requests to that file so see if/how often it ran. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.