Yesterday, Onur posted showing how prevalent detections of Troj/JSRedir-R are. Today we have released detection for one of the culprits for the mass-defacement (Troj/PHPMod-A).
The site Unmask Parasites.com has recently blogged on this issue. If you think that your website has been defaced or is being detected as Troj/JSRedir-R then can you please send SophosLabs the following:
- the .htaccess file(s)
- any files new files matching image.php
- and any other file modified on your server.
If your site was infected I suggest that you:
- Take the site down to protect other Internet users.
- Replace the contents of the site with a known clean backup
- Change all password on the site (including FTP credentials)
- Patch all the sites software
- Reload the site.
If you have any comments please contact me via sophosblog@sophos.com.