[CS-FSLUG] PHP question

Vincent Danen vdanen at linsec.ca
Wed May 21 10:13:04 CDT 2008

* [2008-05-21 07:34:00 -0500] Ed Hurst wrote:

>Josiah Ritchie wrote:
>> On Wed, May 21, 2008 at 8:09 AM, Ed Hurst <ehurst at asisaid.com> wrote:
>>> I spotted a warning on a forum about a virus which directs servers to
>>> pull down a PHP file scattered around the Net. Since I'm running FreeBSD
>>> and no web services, I decided to see what was in this file. It had one
>>> line:
>>>   ::H
>>> Just how big of threat is this?
>> I'm no PHP master, but this doesn't look like anything related to
>> valid syntax to me.
>So I thought, but this whole thing may turn out to be an elaborate hoax.
>Maybe I should have given more info upfront. Here's the message I saw:
>There is a virus going around that is attacking web servers. It asks
>your web server to request a file PT.PHP from some random server.
>The file contains garbage and if your server doesn't complete the
>request, about a week later it will be barraged with a .dll file that
>will attempt to take over your computer.
>[snip irrelevance]
>I telnetted to my home computer and found the log with the actual request...
>   GET http://iluxa1.rifo.net/pt.php HTTP/1.0
>Now any request to iluxa1.rifo.net will put your ip on a list to get
>barraged with .dll file requests.

I think this is hoax.

No server that I know of would keep a HTTP connection "alive" for a

Also, if you get barraged with a .dll file.. so what?  If it's a .dll,
then this is a windows thing and would do nothing on your FreeBSD or
Linux boxen.

Vincent Danen @ http://linsec.ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20080521/85e24e83/attachment.sig>

More information about the Christiansource mailing list