Skip to main content
Information Security

Timeline for PHP malware/shell keeps resurrecting

Current License: CC BY-SA 3.0

11 events
when toggle format what by license comment
May 23, 2017 at 12:40 history edited CommunityBot
replaced http://stackoverflow.com/ with https://stackoverflow.com/
Feb 5, 2015 at 3:01 comment added Giacomo1968 @AnPhan Welp, I am tapped out. I left a comment on the question that basically boils down to this: If you can replatform these sites to a new, clean server that is your realistic best bet right now. My approach to web servers is I am never “married” to them and the code I place on them is always portable. By thinking this way you can quickly remediate issues like this without trying to find a needle in a haystack.
Feb 5, 2015 at 2:59 comment added An Phan Thanks. Ran the test from the site, the result is all clean.
Feb 5, 2015 at 2:55 comment added Giacomo1968 @AnPhan Well, if you are unsure about bash please read the contents of this site and test other bash related flaws that have been found.
Feb 5, 2015 at 2:46 comment added An Phan Yes it's patched. Or at least the shellshock script test returns hello.
Feb 5, 2015 at 2:39 comment added Giacomo1968 @AnPhan Well, are you sure your base OS is patched? Specifically bash itself in light of the bash “shellshock” bug? Check out my answer on Super User over here to see what I mean. While you say the malware is PHP-based, in many cases the initial intrusion vector is something else like an unpatched version of bash.
Feb 5, 2015 at 2:31 history edited Giacomo1968 CC BY-SA 3.0
added 12 characters in body
Feb 5, 2015 at 2:30 comment added An Phan Thanks for the answer, and the great script. I did try to clean /tmp and checked through the crontab -- again, nothing suspicious.
Feb 5, 2015 at 2:19 history edited Giacomo1968 CC BY-SA 3.0
added 20 characters in body
Feb 5, 2015 at 2:17 review First posts
Feb 5, 2015 at 2:23
Feb 5, 2015 at 2:12 history answered Giacomo1968 CC BY-SA 3.0