[nycbug-talk] Searching for suspect PHP files...

Max Gribov max at neuropunks.org
Mon Mar 2 10:18:56 EST 2009


Matt Juszczak wrote:
> Evening all,
>
>   
Hi Matt,

> In my latest chkrootkit reports (which I run nightly via periodic), I'm 
> noticing lots and lots of "Suspect PHP Files" (via chkrootkit).  It seems, 
> after checking the code, that its really just searching for PHP files in 
> /tmp, and also searching for some other files throughout the system.
>
> I guess the question I have is - what's the point of this check?
>   

/tmp is the default storage for uploaded files (before they get moved to 
their proper destination by some php code), and for php session data..
All of this is tunable through php.ini.

There are plenty of php-based backdoor scripts which allow to execute 
shell commands, transfer files, look at your db, etc.
One of such things, and seems to be really popular, is rst shell 
http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html

I've seen that software used after a break in into some wordpress 
install, so maybe chkrootkit is checking for that. Lets hope it does a 
better job than just looking at .php files though - thats like assuming 
all binaries are viruses..

wow, this message is from feb 26.. time flies when you have fun..
> -Matt
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>   




More information about the talk mailing list