Hacker News new | past | comments | ask | show | jobs | submit login

The attacker obfuscated "base64_decode" part but not "eval". It's not the first time I see base64_decode() being more the focus of attention than eval, I don't know where it originates from.

Also, if cron infected the PHP files I wonder what infected the crontab. :\

I'd expect the old insecure joomla install was the original source of the infection, the cron was just there to automatically re-infect it without the attacker needing to run the same remote exploit repeatedly

Presumably PHP itself, no? Assuming it was running with a few too many permissions, or even under root...

It's the web user's own crontab judging by the lack of username in the file.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact