Jump to content

Help needed with a mystery file


Recommended Posts

I maintain a Debian-based Web server. It runs DirectAdmin for shared hosting purposes. I perform backups of my clients' data and download those backups (tar.gz format) to a local computer for safe-keeping. The local computer storing the backup files runs ESET Internet Security software. Yesterday during a routine system scan ESET threw a warning and flagged a PHP file that was located inside one of those backup files. It was identified by ESET as "PHP/PhpShell.NBD trojan". The file itself is called defauls.php and contains 1 line of code that is 175 characters long. I'd like to share the contents of that file here, but my gut says I'll get wrist-slapped for sharing code that might be malicious.

Can anyone advise how I can get help interpreting this PHP file and what danger it might pose (I've located it on my Web server and have isolated it)?

Link to comment
Share on other sites

We won't slap your wrist, but we'd prefer you didn't post it and would remove it if you did. To help not spread those things around, you know?

It does sound like malware, but it's possible it is merely obfuscated code (like if it came with a paid license and the author didn't want anyone to mess with it). Does the file say anything about eval or base64_decode or gunzip/deflate? Does it look the slightest bit readable? You can PM it to me if you'd like me to confirm.

If it is malware then obviously you need to contact your client so they can begin damage control. Hopefully the file hasn't been there for long. It would help them if you could check webserver access logs for requests to that file so see if/how often it ran.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.