Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Grzegorz Godlewski:
PHP.Kryptik.AB - Give me your FTP!
Nov 20, 2012 @ 15:14:04

Grzegorz Godlewski has written up a post about a piece of PHP-related malware that, if it gets into your application, can render your site inaccessible (not to mention blocked by Google's "safe browsing") - PHP.Kryptik.AB.

One could think a PHP Developer is free from viruses and malware - and be wrong. Meet PHP.Kryptik.AB - the PHP malware. If you already know this bastard - high five! But if you don’t – be prepared! Basically the story starts from a standard computer trojan which (I suppose) attacks popular FTP clients that store FTP login credentials unencrypted. Then it sends fetched informations to a remote host which (by the cover of night) logs into the FTP servers and infects PHP base web-pages by injecting a piece of JavaScript code, that gets executed when a user enters a site.

He describes the injected code, what kind of files the malware looks for when it executes and how you can fix the problem if you've already been infected. There's also a bit about how you can prevent yourself from being infected (including the suggestion of using something like KeePass or 1Password to manage and create harder to crack passwords).

tagged: malware javascript infect phpkryptikab ftp