Search:
2021: notice malicious PHP files written in EVERY apache-writable directory in the filesystem. Not very careful analysis: * it looks like a very obfuscated PHP is uploaded to one of the public upload areas * it then scans for every directory on the system that's writeable by the apache process * it puts a e.g. .37eb5bf3.ico in one place, and puts an index.php which includes the .ico in another place * all of these set up to serve some kind of spam - looked like sports gambling? Decode the php with https://www.unphp.net/ 2021-02-28: Notice that these files all have different creation dates, from 2020-02 to 2021-02-13: the malware is able to set the dates Delete all the index.phps except for the five that are supposed to be on the system. Find them with * put a sample .ico file in ~/malware/sample-ico-malware find / -name index.php -print > /tmp/phps * delete all the hidden .ico find / -wholename /sys/kernel/slab -prune -o -regex ".*/\..*ico" -ls 2021-05-23: write ~daniel/scout/scout.pl to alarm on unregistered index.php files.
Summary:
This change is a minor edit.
To save this page you must answer this question:
What do you get when you remove the ARIS from Solaris?
Username: