View Single Post
Old 28 June 2013, 18:32   #8
AmiBay MegaMod
Merlin's Avatar
Join Date: Mar 2007
Location: Manchester, UK
Age: 59
Posts: 1,163

It may be an SQL injection attack (BlackHole exploit) designed to inject a JavaScript file that edits the root PHP files and adds an eval redirect - PHP/Kryptik.AB Trojan is one example. This edits the root PHP files on the server end (index.php mostly) and hides among the PHO files, so tracking the bugger down can be awkward. I suggest that you replace the main root PHP files with known good, write-protected backups if you can. The infected file might also be called sys_engine9181.php or similar. We finally identified the attack as an "Web Shell by oRb" backdoor script.

One symptom that you see is that the root of a site may be affected, but sub folders of the site work, when accessed via something such as Google. That hints at an infected index.php file. Scifi's comments above hint at something like this.

I hope that this is useful.
Merlin is offline  
Page generated in 0.04980 seconds with 11 queries