False Positive: php.net Malware Alert
Update: Barracuda posted a more detailed analysis and packet capture showing that php.net may indeed have been compromissed and delivered a malicious flash file: http://barracudalabs.com/2013/10/php-net-compromise/ (thx David for pointing to this)
Earlier today, Google had php.net added to its list of malicious sites. The listing was the result of a false positive triggered by an obfuscated javascript file that is a legitimate part of the php.net site. At this point, the false positive appears to be resolved.
Sadly, Google is notoriously slow in removing false positives like this. It helps if the site's administrator is signed up with Google Webmaster tools. In this case, a request for review can be filed via webmaster tools, and the administrator will be notified via e-mail if the site is added to the blocklist.
For more details, see:
https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
I've never seen malware with that wide of a variety in one executable.
These addresses had back and forth udp communications.
124.43.201.66 SRI LANKA
190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF
202.29.179.251 THAILAND
24.142.33.67 CANADA
These addresses were sent udp but never answered back
105.129.8.196 MOROCCO
112.200.137.206 PHILIPPINES
113.162.57.138 VIET NAM
114.207.201.74 KOREA, REPUBLIC OF
118.175.165.41 THAILAND
121.73.83.62 NEW ZEALAND
153.166.2.103 JAPAN
178.34.223.52 RUSSIAN FEDERATION
182.160.5.97 MONGOLIA
185.12.43.63 MONTENEGRO
186.55.140.138 URUGUAY
186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF
187.245.116.205 MEXICO
197.228.246.213 SOUTH AFRICA
197.7.33.65 TUNISIA
202.123.181.178 LAO PEOPLE'S DEMOCRATIC REPUBLIC
203.81.69.155 MYANMAR
212.85.174.80 SLOVENIA
218.186.195.105 SINGAPORE
219.68.96.128 TAIWAN, PROVINCE OF CHINA
31.169.11.208 KAZAKHSTAN
37.237.75.66 IRAQ
37.243.218.70 SAUDI ARABIA
46.40.32.154 SERBIA
5.102.206.178 ISRAEL
5.12.127.206 ROMANIA
5.234.117.85 IRAN, ISLAMIC REPUBLIC OF
5.254.141.186 SWEDEN
70.45.207.23 PUERTO RICO
72.252.207.108 UNITED STATES
78.177.67.219 TURKEY
79.54.68.43 ITALY
84.202.148.220 NORWAY
92.245.193.137 SLOVAKIA
93.116.10.207 MOLDOVA, REPUBLIC OF
95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
95.68.74.55 LATVIA
Anonymous
Oct 24th 2013
1 decade ago
http://php.net/archive/2013.php#id2013-10-24-1
Anonymous
Oct 24th 2013
1 decade ago
/userprefs.js (Malicious JS)
hxxp://url.whichusb.co.uk/stat.html (Redir)
hxxp://url.whichusb.co.uk/PluginDetect_All.js (Plugin Detect)
hxxp://url.whichusb.co.uk/stat.htm (POST)
hxxp://aes.whichdigitalphoto.co.uk/nid?1 (Redir)
hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 (Magnitude Gate)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/8fdc5f9653bb42a310b96f5fb203815b.swf (404)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/b7fc797c851c250e92de05cbafe98609 (CVE-2013-2551)
Anonymous
Oct 24th 2013
1 decade ago