Friday, June 7, 2013
PHP encoded malware
Here's a cool one: a single (long) line of injected PHP that unpacks to a little porn server that retrieves its porn from elsewhere. Neat attack. How it gets injected I don't know, but in that discussion this other thing came up: an Apache exploit that doesn't change the filesystem at all - it patches the live httpd process. That's freaking cool! It would be pretty brittle, though; recompile with some minor changes and it's not going to work. Monocropping is a bad thing.