[CS-FSLUG] PHP question
Vincent Danen
vdanen at linsec.ca
Wed May 21 10:13:04 CDT 2008
* [2008-05-21 07:34:00 -0500] Ed Hurst wrote:
>Josiah Ritchie wrote:
>> On Wed, May 21, 2008 at 8:09 AM, Ed Hurst <ehurst at asisaid.com> wrote:
>>> I spotted a warning on a forum about a virus which directs servers to
>>> pull down a PHP file scattered around the Net. Since I'm running FreeBSD
>>> and no web services, I decided to see what was in this file. It had one
>>> line:
>>>
>>> ::H
>>>
>>> Just how big of threat is this?
>>
>> I'm no PHP master, but this doesn't look like anything related to
>> valid syntax to me.
>
>So I thought, but this whole thing may turn out to be an elaborate hoax.
>Maybe I should have given more info upfront. Here's the message I saw:
>
>------------
>There is a virus going around that is attacking web servers. It asks
>your web server to request a file PT.PHP from some random server.
>
>The file contains garbage and if your server doesn't complete the
>request, about a week later it will be barraged with a .dll file that
>will attempt to take over your computer.
>
>[snip irrelevance]
>
>I telnetted to my home computer and found the log with the actual request...
>
> GET http://iluxa1.rifo.net/pt.php HTTP/1.0
>
>Now any request to iluxa1.rifo.net will put your ip on a list to get
>barraged with .dll file requests.
I think this is hoax.
No server that I know of would keep a HTTP connection "alive" for a
week.
Also, if you get barraged with a .dll file.. so what? If it's a .dll,
then this is a windows thing and would do nothing on your FreeBSD or
Linux boxen.
--
Vincent Danen @ http://linsec.ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20080521/85e24e83/attachment.sig>
More information about the Christiansource
mailing list