RE: [PHP] Securing your Sites

I want to personally thank you for 6 hours of work to remove the
PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line.

Funny, they should all be PHPS, source only and my last check only did
them on the source viewing. None of them are executable in that folder.

You got it from elsewhere.

admin@buskirkgraphics.com wrote:
> I want to personally thank you for 6 hours of work to remove the
> PHP-Back-door Trojan, that download from your site to my PC while viewing that POS you call a help line.
>
>

> -----Original Message-----
> From: Wolf [mailto:LoneWolf@nc.rr.com]
> Sent: 17 December 2007 16:00
> To: admin@buskirkgraphics.com
> Cc: php-general@lists.php.net
> Subject: Re: [php] Securing your Sites
>
> Funny, they should all be PHPS, source only and my last check only did
> them on the source viewing. None of them are executable in that
> folder.
>
> You got it from elsewhere.

I thought that too as I checked the site this morning and they all were ..phps

However, wandering back over there sees that they are all now .tar.gz files and, upon scanning, do carry a malicious payload

Dan

> admin@buskirkgraphics.com wrote:
> > I want to personally thank you for 6 hours of work to remove the
> > PHP-Back-door Trojan, that download from your site to my PC while
> viewing that POS you call a help line.
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
> 16/12/2007 11:36
>

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36

> -----Original Message-----
> From: Wolf [mailto:LoneWolf@nc.rr.com]
> Sent: 17 December 2007 16:00
> To: admin@buskirkgraphics.com
> Cc: php-general@lists.php.net
> Subject: Re: [php] Securing your Sites
>
> Funny, they should all be PHPS, source only and my last check only did
> them on the source viewing. None of them are executable in that
> folder.
>
> You got it from elsewhere.

Sorry, update

Scanning with AVG reveals that c99-2, 3 and 4 report backdoor Trojan infections but it occurs to me that maybe AVG is just finding the malicious payload you are demonstrating?

I'd like to thank you for supplying the source for these exploits... If I've made a mistake and compounded an incorrect situation I do apologise

Dan

> admin@buskirkgraphics.com wrote:
> > I want to personally thank you for 6 hours of work to remove the
> > PHP-Back-door Trojan, that download from your site to my PC while
> viewing that POS you call a help line.
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
> 16/12/2007 11:36
>

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36

Wait, I'm confused. Did PHP send a virus to your computer without
action on your part? That'd be scary. If you downloaded something,
was the checksum not published for you to verify your download prior
to unpacking it? That's always a warning worthy of apprehension.
What was the "PHP-Back-door Trojan" exactly?

Jeremy Mcentire
Ant Farmer
ZooToo LLC

2 things I've done to them to try to catch all...

1. GZiped them all (you'll have to download them to a machine and look
at the source yourself, taking your own precautions and YES, they will
scan malicious in this setup as they are all trojans/backdoors)
2. changed their extension to .txt on the server

I'll also modify the server folder they are running on to disable php
entirely later tonight so they can never execute it on it.

When I reloaded them in my windoze box, my AV picked up on them in the
cache as the trojans they are and disabled access to them in my
browser's cache. Since I don't run php on the windoze box, there really
was nothing to worry about and I could view the source in the browser.

But if you didn't run AV on the system you looked at them at, installed
them to your own local area and started playing with them, then you
pretty much borked yourself. They are live code (hence why they were
phps and should have just been source to view) and the only way to
really pick them apart to view them.

Considering that the code was phps and the server treated them as such
never did my server execute them.

Wolf

Dan Parry wrote:
>> -----Original Message-----
>> From: Wolf [mailto:LoneWolf@nc.rr.com]
>> Sent: 17 December 2007 16:00
>> To: admin@buskirkgraphics.com
>> Cc: php-general@lists.php.net
>> Subject: Re: [php] Securing your Sites
>>
>> Funny, they should all be PHPS, source only and my last check only did
>> them on the source viewing. None of them are executable in that
>> folder.
>>
>> You got it from elsewhere.
>
> I thought that too as I checked the site this morning and they all were .phps
>
> However, wandering back over there sees that they are all now .tar.gz files and, upon scanning, do carry a malicious payload
>
> Dan
>
>> admin@buskirkgraphics.com wrote:
>>> I want to personally thank you for 6 hours of work to remove the
>>> PHP-Back-door Trojan, that download from your site to my PC while
>> viewing that POS you call a help line.
>>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
>> 16/12/2007 11:36
>>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36
>
>
>

On Dec 17, 2007 11:27 AM, Jeremy Mcentire <jmcentire@zootoo.com> wrote:
> Wait, I'm confused. Did PHP send a virus to your computer without
> action on your part? That'd be scary. If you downloaded something,
> was the checksum not published for you to verify your download prior
> to unpacking it? That's always a warning worthy of apprehension.
> What was the "PHP-Back-door Trojan" exactly?

Here's what is going on, from start to finish, for anyone who may
be concerned:

1.) Wolf's server was breeched (or attempted) by a couple of
wannabes and script kiddies.
2.) He tar'ed and gZip'ed the malicious PHP scripts, after
renaming them to .phps (source) scripts for you to view.
3.) When you download the gZip'ed tarballs, they contain the PHP
source code in a .phps, as expected.
4.) Any scans of those files COULD and SHOULD indicate that they
are exploits --- BECAUSE THEY ARE.
5.) Some of you may not have chosen to fully read the page telling
you what they are prior to downloading.
6.) If Step 5 applies to you, that is YOUR FAULT, not Wolf's.

I didn't find it all that difficult to read the two paragraphs or
so prior to downloading. In fact, I find that I rather enjoy doing
that so I know what the hell I'm downloading in the first place,
before blindly downloading some code. ;-P


--
Daniel P. Brown
[Phone Numbers Go Here!]
[They're Hidden From View!]

If at first you don't succeed, stick to what you know best so that you
can make enough money to pay someone else to do it for you.

ALL of them should report trojan if you download them to your cache but
only should be an issue if you have PHP installed on that machine and
then execute that code in your own php server.

They are all trojans/back door.

But if you view the source then you aren't going to bork yourself.

As they are now all tar.gz the AV scanners should all catch them as
trojans, so you will need to tell your scanner to all you to access that
folder, save it to your local drive and view the source in your favorite
text editor to look at them.

Wolf

Dan Parry wrote:
>> -----Original Message-----
>> From: Wolf [mailto:LoneWolf@nc.rr.com]
>> Sent: 17 December 2007 16:00
>> To: admin@buskirkgraphics.com
>> Cc: php-general@lists.php.net
>> Subject: Re: [php] Securing your Sites
>>
>> Funny, they should all be PHPS, source only and my last check only did
>> them on the source viewing. None of them are executable in that
>> folder.
>>
>> You got it from elsewhere.
>
> Sorry, update
>
> Scanning with AVG reveals that c99-2, 3 and 4 report backdoor Trojan infections but it occurs to me that maybe AVG is just finding the malicious payload you are demonstrating?
>
> I'd like to thank you for supplying the source for these exploits... If I've made a mistake and compounded an incorrect situation I do apologise
>
> Dan
>
>> admin@buskirkgraphics.com wrote:
>>> I want to personally thank you for 6 hours of work to remove the
>>> PHP-Back-door Trojan, that download from your site to my PC while
>> viewing that POS you call a help line.
>>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
>> 16/12/2007 11:36
>>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date: 16/12/2007 11:36
>
>