[CS-FSLUG] PHP question

Wed May 21 10:53:07 CDT 2008

Ed Hurst wrote:
> Josiah Ritchie wrote:
>   
>> On Wed, May 21, 2008 at 8:09 AM, Ed Hurst <ehurst at asisaid.com> wrote:
>>     
>>> I spotted a warning on a forum about a virus which directs servers to
>>> pull down a PHP file scattered around the Net. Since I'm running FreeBSD
>>> and no web services, I decided to see what was in this file. It had one
>>> line:
>>>
>>>   ::H
>>>
>>> Just how big of threat is this?
>>>       
>> I'm no PHP master, but this doesn't look like anything related to
>> valid syntax to me.
>>     
>
> So I thought, but this whole thing may turn out to be an elaborate hoax.
> Maybe I should have given more info upfront. Here's the message I saw:
>
> ------------
> There is a virus going around that is attacking web servers. It asks
> your web server to request a file PT.PHP from some random server.
>
> The file contains garbage and if your server doesn't complete the
> request, about a week later it will be barraged with a .dll file that
> will attempt to take over your computer.
>
> [snip irrelevance]
>
> I telnetted to my home computer and found the log with the actual request...
>
>    GET http://iluxa1.rifo.net/pt.php HTTP/1.0
>
> Now any request to iluxa1.rifo.net will put your ip on a list to get
> barraged with .dll file requests.
> -------------
>
>   
I would agree with everyone that it is not anything to worry about. In 
reality, most computers on the Internet get "attacked" on average of 
once every fifteen minutes. Basically, the "threat" of the email already 
happens to you, whether or not you do anything. Your servers will be 
scanned, and script-kitties will try to hack into your web-server with 
all sorts of funny attacks. If you look through your apache log files 
for "dll" or "windows", you will usually see a lot of interesting 
requests. It is obvious that the attackers are just doing extremely dumb 
probing of the server. Unless you do something extremely dumb yourself 
(which is easy to do. I help people clean off hackers from Linux 
computers fairly regularly.), and if you keep your distro updated, you 
should not have anything to worry about (assuming a decent firewall, few 
services installed, smart-password policies, etc.)

Automated attacking is usually not too bad. And if a script-kitty 
(someone who uses canned scripts) does break into a server they rarely 
do anything worse than set up a spam-site or deface your webpages. A 
good backup/recovery system, followed by running your Yum/Apt-Get/other 
update software, usually suffices. (A god backup system has multiple 
timeperiods you can revert to in case you do not catch the hacker the 
day they hack you) The ones to worry about are the hackers that do 
things manually. If they target you for some reason, that can be bad. 
But that rarely happens to those of us who do not have all sorts of 
exciting financial data or trade secrets on our systems.

Blessings,
- Tim Young