Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PHP file found on flash drive - how could it have been used? 1

Status
Not open for further replies.

OsakaWebbie

Programmer
Feb 11, 2003
628
JP
On a trip where I used a PortableApps-equipped flash drive on hotel computers, I picked up a hitchhiker: a malicious file on my flash drive (no surprise!). But what I can't figure out is how it could have been used by hackers, and whether there is more on my system that I should be looking for.

It was a PHP file nestled in a folder of photos, and avast! identified the malware as "PHP:Shell-DC [Trj]". And yup, it is definitely a file of nefarious-looking PHP code. But since I have no web server or PHP interpreter running on my ordinary Windows XP machine, I don't know how anyone could use the file to their advantage. However, I'm pretty sure that someone was indeed using it, because my internet access was really, really slow ever since I had gotten back from my trip (yes, I use the same flash drive on my home computer) and it recovered as soon as that file was quarantined. I tried looking up the trojan on the web, but I couldn't find much of anything ( and other pages linked therein don't say anything about PHP files used for this trojan). Does anyone know how a PHP file on a non-webserver machine could be accessed from outside? I'm concerned that I need to look for a hidden webserver or something else that avast! didn't spot.
 
My guess, and it is little more than a slightly educated guess, is that it is a script designed to allow backdoor connections. Searching for the terms you used doesn't show a lot of information other than stating that various antivirus applications detect it under different names. This link might be useful to you, though:
Normally, a PHP file isn't going to do much good unless it is executed, or rather interpreted by a webserver, or another PHP interpreter. One of the most common malware tactics is to throw as much out there as possible and hope to get a small percentage as a hit. Another tactic is to hijack rides, like fleas on a dog, infecting systems like USB sticks and eventually make its way to a target. This is how Stuxnet worked if I recall correctly.

My concern with Windows is that it uses file type extensions and automatically tries to execute almost everything that it comes into contact with. A side effect of the machine is smarter than the user mentality that it seems to have been designed around. This too was the basis of certain malware attacks. Whether or not it managed to do anything on your machine without a webserver is a valid question, one in which I don't have a ready answer for. However, you mentioned that your machine performance has changed, which is also one of the first recognized signs of a problem.

If it is a backdoor utility, it could be active or passive; meaning either phone home with an outbound connection or open a port and wait passively. If you have a software firewall, it may have acted to prevent outbound connections. If you have a firewall (without uPnP enabled) if should prevent inbound connections, meaning the chance of an active intrusion is lessened. At a minimum I would run some thorough scans of your machine with some good anti-malware utilities. I would use something like sys-internals to examine the process tree and especially see what processes have network ports open and look for any active connections. Standby for more, possibly better, responses.
 
Noway2 said:
My guess, and it is little more than a slightly educated guess, is that it is a script designed to allow backdoor connections.
I'm even more confident that it is exactly that (having glanced at its code a bit). It looks nothing like the code at the link you referenced, though.
Noway2 said:
My concern with Windows is that it uses file type extensions and automatically tries to execute almost everything that it comes into contact with.
I also had that concern, which is why I opened the file in Notepad to have a peek. It was pretty big for a PHP file, but it appeared to be pure PHP, nothing binary that Windows could execute without an interpreter. I was just nervous that there was an interpreter on my machine that was running without my knowledge.

The machine is behind a router with standard security settings (NAT enabled, and no inbound connections allowed), so even if there was an interpreter running, it is doubtful that it could have been summoned from outside - it would have had to have some sort of internal action of its own. But after I wrote my first post a couple other odd things happened - for the second time since returning from the trip one of my Windows theme colors changed to some sort of default (but only one color, making an odd combination), and last night while working on my finances my accounting software data file got corrupted (big bummer for me - I think I'll have to enter everything for 2012 again!!!). My first guess is that the cause of those things is a failing hard drive or something else flaky with my system itself (not malware), but at my husband's suggestion, I took the following actions:
[ol 1]
[li]A system restore to the point right before the trip[/li]
[li]Uninstall and reinstall of avast! from a fresh download[/li]
[li]Full virus scan of the computer and flash drive (everything is clean)[/li]
[/ol]
Next I ran the tool that checks the disk for errors (focusing on the disk where my accounting file was, since that's my most immediate need) and checked both the options to repair stuff. Hours later it finished but didn't say anything other than the fact that it finished, so I don't really know whether it found any problems.

Meanwhile, the back-to-normal internet access response was temporary - it's back to being frustratingly sluggish...[sad] My husband has no such troubles with his PC (even though mine is wired and his is wifi), so the problem is definitely my PC, not our internet.
 
CHKDSK should have an entry in Event Viewer (assuming windows 7)

I wouldn't rush to blame malware for the sluggishness. There are lots of reasons from a hardware perspective why your internet is slow. Have you done any troubleshooting in that arena? Have you tested the speed or is it your gut feel?? speedtest.comcast.net

Run AUTORUNS and look for suspicious entries.
Run HIJACKTHIS and look for suspicious entries.
If you want to run more in depth scanners, you could try GMER or Emsisoft scanner
If you still want more scanning, remove your anti-virus, reboot and run COMBOFIX.
 
I have Windows XP, and the GUI-style check disk tool that is run from the Properties dialog (as opposed to at boot time) does not leave any log file. I could run it again as part of booting just to get a log in Event Viewer, but the rumor is that if there were any problems found, the "I'm finished" alert would have said so.

No, I haven't run any metrics, but the gut feel is quite a dramatic difference. Occasionally stuff comes up more normally, but about 80% of the time, pages load in something like 10 times the time they took to load prior to about a week ago. Perhaps something "snapped" in my registry or something, but the change was pretty decisive.

I had never heard of Autoruns - intriguing! I looked through the various sections - I'm no expert, but everything seemed to belong to something I know is on my system. Nothing particularly suspicious-looking. I disabled some things that were in my registry but the file was not found (no point in trying to load things that aren't there), but I didn't do any other changes.

Since I'm pretty sure my system is clean of malware after restoring back to a point in January, I'll just remember the others you named for later. I have seen the output of HijackThis on forums - I wouldn't have any idea how to interpret what it says, but it's good to be reminded of its existence. The others are new to me, but I'll read up on them.

I had been considering getting a new PC, because this one's various parts have been gradually breaking lately. I had been procrastinating because I really don't have time to review different specs and models, go shopping, install all my stuff again, learn and configure Windows 7 (yes, I have been clinging to XP), etc. But this slowness may be the proverbial straw on the camel's back.
 
(no point in trying to load things that aren't there)
Yes, good that you did that. You have to be careful what you disable in Autoruns or the PC may not boot if you disable the disk controller or the wrong driver.

You can post the HiJackThis log here if you want. Nothing personal is included.

If you want to wait and see what happens, that's fine. However, if it's NOT just internet that is slow (general booting and using windows explorer), I would be concerned that the hard drive might be going to die. In that case, I would run the manufacturer's diagnostic test to check it out.

Figure out your hard drive brand in the BIOS or by opening the case and looking. Then get the correct tool for it.
 
Fortunately it's just internet. In fact, even POP3 doesn't seem slow (once again, gut feel only) - just HTTP. I already had the hard drive ordeal with my second hard drive (that was used for video projects and footage), which died suddenly about two months ago (I came in the room and it was clacking!), so I've been more diligent about backups since then.

I looked at the page you linked, and it seems that those tools are for bootable CDs, which makes sense. Unfortunately I learned during my other hard drive ordeal that of my two optical drives, only the one that no longer opens (like I said, stuff on this machine keeps breaking!) can be booted from - perhaps if I disconnected that drive I might be able to get the BIOS to check the working one during booting, but as it stands, that isn't happening. I really should just get a new computer...[bomb]
 
Umm, you know that you can't build a Ferrari from a Volkswagon Beetle. Without a bootable CD, you need a floppy to run some of those tests, but I'm not sure all of them can be run from a floppy. Some CAN be run from within Windows, but I generally like to use a bootable tool just to get windows out of the way.

Not sure what to tell you other than "you've got problems". Choose which one you want to solve first OR get a new computer and solve them all at the same time.

You might want to reset the IP stack on that machine - what the heck. Try this tool and then REBOOT.
 
Yes, I know all of that. And I don't have a floppy drive, in case you are wondering. As of the last sentence of my previous post, I had decided to research and buy a new computer as soon as my current rush is over. (A Japanese tax accountant is coming tomorrow to review my taxes [in Japan, taxes are due in March, not April], but I haven't finished because I had to spend the last couple days re-entering all my 2012 financial data after the file got corrupted.) Computer shopping is not trivial in my case, because whatever machine I get will probably be used for HD video editing starting next year, so I have to research components carefully.

I definitely am not trying to build a Ferrari from a Beetle - I have no plans to replace any of the parts, because I know the computer is old. (A Dell rep blamed the heat of the Pentium D processor for the failure rate of the various components, but I wonder if Dell was just building weak machines five years ago... who knows.)

Thanks for all your help! (The star is for all your posts in general, and like I said, I will remember for the future the various tools you referenced.)
 
Thank you and I'm glad to help. If English is your second language - WOW. You have a better command of the language than 1/3 of native speakers. Pathetic comment on our society though.
 
Better than 1/3... that means worse than 2/3... hmm, then I should improve, because I'm actually an American living in Japan! [wink]
So for me, the challenges cut the other direction, e.g. my Japanese computer with Japanese software (including the accounting software where I had the massive re-entering session the last couple days) and these Japanese tax forms all over my desk...[3eyes]
 
I know - I was just chuckling about it. Thanks again, and have a great week!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top