Re: [Security Weekly] identifying php based malware

[Jim Halfpenny <jim.halfpenny () gmail com>]

Hi Robin,
You might want to try sending it to a company that specialises in
website malware like Sucuri (https://sucuri.net/). I'm not certain if
they can help but they either might give you a quick answer or be
interested in the sample for their own research.

Jim

On 18 July 2014 13:18, Robin Wood <robin@digi.ninja> wrote:
> I've got a client whose website has just been hacked by what looks like an
> automated script which has dropped a single, very long, line of php at the
> start of every php file on the site.
>
> My guess is that a script got the FTP creds off a developer and used those
> to do the work but I'd like to know more. I'm not looking to deobfuscate the
> php, that is too much effort for this job, but I was wondering if there were
> any sites like Virus Total where I could upload a line of php and get at
> least the family of malware that it belongs to. Each page it has added
> itself to obfuscated in a different way so there isn't a fixed fingerprint I
> can just google for, it would take something that could do some basic
> analysis on the code first.
>
> Anyone any ideas?
>
> Robin
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail securityweekly com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com