Troj/PHPMod-A: Behind the Troj/JSRedir-R attacks.

by SophosLabs on May 14, 2009 | Leave a comment

Filed Under: SophosLabs

Yesterday, Onur posted showing how prevalent detections of Troj/JSRedir-R are. Today we have released detection for one of the culprits for the mass-defacement (Troj/PHPMod-A).

The site Unmask Parasites.com has recently blogged on this issue. If you think that your website has been defaced or is being detected as Troj/JSRedir-R then can you please send SophosLabs the following:

  • the .htaccess file(s)
  • any files new files matching image.php
  • and any other file modified on your server.

If your site was infected I suggest that you:

  • Take the site down to protect other Internet users.
  • Replace the contents of the site with a known clean backup
  • Change all password on the site (including FTP credentials)
  • Patch all the sites software
  • Reload the site.

If you have any comments please contact me via sophosblog@sophos.com.

Tags: ,

You might like

Image (1) bb-ny.jpg for post 25297 Troj/JSRedir-AU: Troj/JSRedir-AK redux?
Troj/JSRedir-AK: 40% of a month's malware Troj/JSRedir-AK: 40% of a month's malware
Image (1) gumb1.jpg for post 24637 Gumblar revisited
Image (1) malwaregraph-may6-13.jpg for post 23639 ...And We Have A Winner!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s