PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Grzegorz Godlewski: PHP.Kryptik.AB - Give me your FTP!

Note: This article was originally published at PHPDeveloper on 17 April 2444.
PHPDeveloper

Grzegorz Godlewski has written up a post about a piece of PHP-related malware that, if it gets into your application, can render your site inaccessible (not to mention blocked by Google's "safe browsing") - PHP.Kryptik.AB.

One could think a PHP Developer is free from viruses and malware - and be wrong. Meet PHP.Kryptik.AB - the PHP malware. If you already know this bastard - high five! But if you don't - be prepared! Basically the story starts from a standard computer trojan which (I suppose) attacks popular FTP clients that store FTP login credentials unencrypted. Then it sends fetched informations to a remote host which (by the cover of night) logs into the FTP servers and infects PHP base web-pages by injecting a piece of JavaScript code, that gets executed when a user enters a site.

He describes the injected code, what kind of files the malware looks for when it executes and how you can fix the problem if you've already been infected. There's also a bit about how you can prevent yourself from being infected (including the suggestion of using something like KeePass or 1Password to manage and create harder to crack passwords).