Troj/PHPMod-A: Behind the Troj/JSRedir-R attacks.

Filed Under: SophosLabs

Yesterday, Onur posted showing how prevalent detections of Troj/JSRedir-R are. Today we have released detection for one of the culprits for the mass-defacement (Troj/PHPMod-A).

The site Unmask has recently blogged on this issue. If you think that your website has been defaced or is being detected as Troj/JSRedir-R then can you please send SophosLabs the following:

  • the .htaccess file(s)
  • any files new files matching image.php
  • and any other file modified on your server.

If your site was infected I suggest that you:

  • Take the site down to protect other Internet users.
  • Replace the contents of the site with a known clean backup
  • Change all password on the site (including FTP credentials)
  • Patch all the sites software
  • Reload the site.

If you have any comments please contact me via


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s