Friday, June 7, 2013

PHP encoded malware

Here's a cool one: a single (long) line of injected PHP that unpacks to a little porn server that retrieves its porn from elsewhere.  Neat attack.  How it gets injected I don't know, but in that discussion this other thing came up: an Apache exploit that doesn't change the filesystem at all - it patches the live httpd process. That's freaking cool!  It would be pretty brittle, though; recompile with some minor changes and it's not going to work. Monocropping is a bad thing.

No comments:

Post a Comment