Troj/PHPMod-A: Behind the Troj/JSRedir-R attacks.

Yesterday, Onur posted showing how prevalent detections of Troj/JSRedir-R are. Today we have released detection for one of the culprits for the mass-defacement (Troj/PHPMod-A).

The site Unmask has recently blogged on this issue. If you think that your website has been defaced or is being detected as Troj/JSRedir-R then can you please send SophosLabs the following:

  • the .htaccess file(s)
  • any files new files matching image.php
  • and any other file modified on your server.

If your site was infected I suggest that you:

  • Take the site down to protect other Internet users.
  • Replace the contents of the site with a known clean backup
  • Change all password on the site (including FTP credentials)
  • Patch all the sites software
  • Reload the site.

If you have any comments please contact me via