This virus / malware is normally uploaded to websites using XSS exploits, SQL Injection or via exploits in poor programming. It takes advantage of many of PHP's inbuilt functions and classes to gain control of web server systems. The files names are variable, but examples we have seen include xtobi.php, nowar.php, email.php, ghost.php, arfou.php and flunk.php.

Once control is established an attacker then has the ability to upload and use an SMF to see virtually any and all of the files located on the server. In some cases the SMF also includes advanced functions such as read, copy, delete and send (via email) of any files, passwords or data on the server.

The script starts by attempting to find any data sources located on the server system, it performs tests to see if certain database formats are in use (MySQL, MSSQL, Oracle, POSTgre) and where found the script attempts to connect to the database(s) and retrieve all information contained.

Sample Extract Of PHP RST Backdoor DB 'Sniffing'

 function connect()
{
switch($this->db)
{
case 'MySQL':
if(empty($this->port)) { $this->port = 'MYSQLPORTxxxx'; }
if(!function_exists('mysql_connect')) return 0;
$this->connection = @mysql_connect($this->host.':'.$this->port,$this->user,$this->pass);
if(is_resource($this->connection)) return 1;
break;
case 'MSSQL':
if(empty($this->port)) { $this->port = 'MSSQLPORTxxxx'; }
if(!function_exists('mssql_connect')) return 0;
$this->connection = @mssql_connect($this->host.','.$this->port,$this->user,$this->pass);
if($this->connection) return 1;
break;
case 'PostgreSQL':
if(empty($this->port)) { $this->port = 'POSTGRESQLPORTxxxx'; }
$str = "host='".$this->host."' port='".$this->port."' user='".$this->user."' password='".$this->pass."' dbname='".$this->base."'";
if(!function_exists('pg_connect')) return 0;
$this->connection = @pg_connect($str);
if(is_resource($this->connection)) return 1;
break;
case 'Oracle':
if(!function_exists('oxxxxxxxxxon')) return 0;
$this->connection = @ocilogon($this->user, $this->pass, $this->base);
if(is_resource($this->connection)) return 1;
break;
}
return 0;
}

Write Up By: Baz {FireStorm}

Website Owners
It is imperative that all querystring and form data is checked vigorously and fully cleaned before being executed against the database. All upload pages should be specifically secured, PHP sites that offer unrestricted upload options are particularly vulnerable to this type of attack. All session objects should also be subject to the same checking methods. Simply checking 'Server Variables' is not acceptable protection, these can be spoofed. Restricting database rights is important on high use front end web applications, only allow what is absolutely essential.

What Can I Do?
We can offer you a specially designed package to protect your website against attacks by this notoriously difficult to clean Trojan. Our package can usually be installed onto your website and database very quickly offering almost instant protection. We can also repair and rebuild your corrupt database, and have you back up and running in no-time at all. Contact us now for a highly competitive quote. Website solutions to the AspRox Trojan start from £49.99