Funny little php "virus" floating around

Got an email that claimed to be from my host, it used a generic return address and talked about security upgrades and such and how due to new policy to help keep a secure data center I was required to upload and run 1 of 2 files in a zip attachment, the first was a php file the other was an asp file.

Now I instantly realized it wasn't from my host but it was well thought out and I could see it "appealing/fooling" novice users to I tore through it a bit.

What I came up with, someone took a copy of a file and server management program called nsTView by itself harmless unless you leave it out in the wild with a empty or easy to guess password, added in some code to email various data to an email address they could use to compromise the server further.

How did the "hacker" hide this from prying eyes? He strtr "encrypted" it, then base64_encoded it. Stuck it at the end of a php file AFTER the closing php tag. He then base64_encoded file, eval and reverse base64/strtr so that the script would open itself up, Read the last line, base64_unencode, strtr "unencrypt", then eval that string.

So whats the point?

1. base64_encoding and other tricks are not true protection for source code, even a semi-smart program can reverse engineer such things.

2. Never ever blindly run code from unknown sources, question code from known sources and if you still have hairs sticking up take some time to read the source.

I won't post the code here, I will however post a single bit that will give you enough to grep and check your servers for if you have customers you think might fall for such a trick.


$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=128720;


If anyone runs into something like this please send it my way, If possible with the headers from the original email so I can examine and provide info to the rest of the php community. If any security experts out there are interested in getting a copy to catalog and report please contact me directly.