McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.PHP (AVP)

• Trojan-Spy.PHP (AVP)

Characteristics

This detection is for a remote access trojan written in PHP scripting language.

Installation

Such trojans are frequently uploaded to Web servers in hope that PHP script will be at some point in future executed by the administrator. If so, PHP script installs itself and provides remote access for the attacker who may periodically check if the server had been compromised.

Remote Access Functionality

The server component offers many functions to the hacker who can use a normal browser as a backdoor client. Provided example shows the remote functionality provided by one such backdoor PHP script called "c99shell":

• It is a remote file-manager that works through browser
• Can be updated remotely
• Has file-searching capabilities
• Can access files via FTP and Samba
• Can upload and download files and folders
• Can bind /bin/bash to any port with a password
• Can modify timestamp and access-time for any disk object
• Can execute any PHP code
• Can apply sha1, md5, crc32, base64 to files
• Has built-in operations with databases (list, sort, group operations)
• Can perform back connection to any IP address on a given port
• Can send improvement suggestins to the author via mail()
• Supports SQL
• Has self-removal function

Please note that the detection is of generic kind so properties listed above do not necessarily exactly correspond to any particular malicious PHP script detected under this name.

Symptoms

• Suspicious outgoing connections on non-standard port(s) from a Web server
• PHP/BackDoor.gen detection in AV log

Method of Infection

Trojans do not self-replicate. In order to activate malicious PHP script has to be executed on the server by the administrator.

Removal

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.PHP (AVP)

• Trojan-Spy.PHP (AVP)

Characteristics

Characteristics -

This detection is for a remote access trojan written in PHP scripting language.

Installation

Such trojans are frequently uploaded to Web servers in hope that PHP script will be at some point in future executed by the administrator. If so, PHP script installs itself and provides remote access for the attacker who may periodically check if the server had been compromised.

Remote Access Functionality

The server component offers many functions to the hacker who can use a normal browser as a backdoor client. Provided example shows the remote functionality provided by one such backdoor PHP script called "c99shell":

• It is a remote file-manager that works through browser
• Can be updated remotely
• Has file-searching capabilities
• Can access files via FTP and Samba
• Can upload and download files and folders
• Can bind /bin/bash to any port with a password
• Can modify timestamp and access-time for any disk object
• Can execute any PHP code
• Can apply sha1, md5, crc32, base64 to files
• Has built-in operations with databases (list, sort, group operations)
• Can perform back connection to any IP address on a given port
• Can send improvement suggestins to the author via mail()
• Supports SQL
• Has self-removal function

Please note that the detection is of generic kind so properties listed above do not necessarily exactly correspond to any particular malicious PHP script detected under this name.

Symptoms

Symptoms -

• Suspicious outgoing connections on non-standard port(s) from a Web server
• PHP/BackDoor.gen detection in AV log

Method of Infection

Method of Infection -

Trojans do not self-replicate. In order to activate malicious PHP script has to be executed on the server by the administrator.

Removal -

Removal -

Variants

Variants -

N/A