jesvs

jesvs — tech stuff

Found a PHP trojan on a client's server

Published on by

During a recent security audit I found a PHP script obfuscated inside a filename called social.png, that was used via an include call from another PHP file. This script came inside a pirated version of a commercial plugin for WordPress. The file is identified as Trojan.PHP.Shell.W or PHP/Alter.A by some malware checking tools (ESET-NOD32, BitDefender).

Inside the script I decoded the following data: domain names, emails and a public key. They are being used for malicious purposes (spread malware) mostly on WordPress.

Once your server has been compromised it sends a message to ALL the email addresses informing the attacker(s) that they have shell access to your machine.

Luckily for my client his server is configured to send emails only by authenticated clients, so my client was never exposed.

Suggestions

  1. Check your logs for any activity on these domains and addresses, or better yet, block them on your server's firewall if possible.
  2. Check you WordPress database inside the (wp)_options table for the field WP_CLIENT_KEY, remove it if it matches the malicious public key posted above or if you don't use an external admin panel for your site.
  3. Avoid installing plugins from untrustworthy sources (pirate sites, nulled scripts, et al.)