{
	"id": "318245e8-568d-44ef-a287-cb283dc2673f",
	"created_at": "2026-04-06T00:14:53.642811Z",
	"updated_at": "2026-04-10T13:12:34.102133Z",
	"deleted_at": null,
	"sha1_hash": "0369c3c9e557c50b5cf79b2117abd497d148e574",
	"title": "Malicious PHP Scripts on the Rise - Webroot Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 167698,
	"plain_text": "Malicious PHP Scripts on the Rise - Webroot Blog\r\nBy Blog Staff\r\nPublished: 2011-02-22 · Archived: 2026-04-05 12:45:57 UTC\r\nLast week, I gave a talk at the RSA Security Conference about malicious PHP scripts. For those who couldn’t\r\nattend the conference, I wanted to give you a glimpse into this world to which, until last year, I hadn’t paid much\r\nattention.\r\nMy normal week begins with a quick scan of malware lists — URLs that point to new samples — that come from\r\na variety of public sources. I started noticing an increasing number of non-executable PHP and Perl scripts\r\nappearing on those lists and decided to dig a little deeper.\r\nIn a lot of ways, PHP is an ideal platform for malicious Web pages. For programmers and techies, PHP is easy to\r\nlearn. Virtually all Web servers run the PHP engine, so there are vast numbers of potential “victims” (though the\r\nnumbers aren’t anything close to the number of Windows-using potential malware victims). And just like many\r\nforms of executable malware that runs on Windows — the type I’m more familiar with — the most successful\r\nmalicious PHP scripts permit their users (the criminals) to control and manipulate Web servers for their own\r\nbenefit and, most commonly, profit.\r\nHow Infections Happen\r\nWhen a Web server becomes “infected” with malicious PHP, it’s not the same as when a Trojan executes on a\r\nWindows desktop. The “infection process” involves little more than a criminal breaking and entering a Web server\r\nusing stolen FTP credentials, dropping off the files in directories accessible from the outside world, and logging\r\nout. This can be accomplished manually, one server at a time, but is more commonly done using automated\r\nprocesses that attempt to break into large numbers of servers using stolen (or brute-forced) FTP credentials.\r\nhttps://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nPage 1 of 5\n\nThe most simplistic forms of malicious PHP scripts, shown above, simply redirect site visitors to a different page,\r\nbut can do so dynamically. The code shown here was pushed to a Web server whose owner’s FTP credentials had\r\nbeen stolen. Links to the page then were sent as spam email and instant messages, and people who clicked one of\r\nthose spammed links ended up redirected to one of three “Canadian Pharmacy” type Web sites selling\r\n“pharmaceuticals” — with each visitor redirected, at random, to one of the three URLs embedded in the script.\r\nEvery few minutes, the malicious script distributor’s automated process would upload a new version of this script,\r\ncontaining different URLs.\r\nWhile that behavior definitely qualifies as malicious, that’s not especially dynamic or even particularly interesting.\r\nWhat really caught my eye were the scripts that offered criminals remote access to the server’s file system, as well\r\nas scripts that, when executed, force servers to join botnets.\r\nPHP Malware types\r\nThe most commonly distributed botnet client is a script that its author named Pbot. When executed — and, by\r\nexecuted, I mean when someone browses to the page on a Web server where the file is located – it launches a\r\nprocess that connects to whatever Internet Relay Chat server the Pbot’s owner has configured it to join.\r\nThe highly capable, configurable script comes with full instructions, which include the ability to execute arbitrary\r\ncommands, inject PHP scripts or instructions, or engage in attacks against other servers. It also typically contains a\r\n“Connect Back” Perl script which, when executed, permits the bot’s operator to connect to the affected server\r\nremotely, bypassing typical firewall protections.\r\nhttps://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nPage 2 of 5\n\nI also saw a lot of scripts designed solely to send spam as quickly as possible. One such script, which I nicknamed\r\nMala Direta after a comment embedded in the file (and I was told, after the session ended, means “direct mail” in\r\nPortuguese), gives the spammer the ability to pre-configure the headers and message body of the email message\r\nthat would be spammed, and provide the script with a text file of email addresses to which the script will send the\r\nspam message. It’s an efficient and clever tool, shown (in part) above.\r\nAnother common script type is the Cloner, which takes the shotgun approach to file duplication to the extreme.\r\nIt’s a simple script that attempts to use any file copy command the server is capable of executing to retrieve\r\npayloads from remote servers, or, in worm-like behavior, move duplicates of a malicious script to multiple\r\nlocations on the affected server.\r\nThe third type of script I frequently see are so-called Remote Shell scripts. These provide a full remote contol\r\nfunctionality to the server, at least in the context of the permissions of the process in which the script runs. These\r\nscripts are potentially the most dangerous, because they give a remote attacker halfway around the world the same\r\nlevel of control over the server as an administrator sitting at a keyboard.\r\nOther characteristics of malicious PHP\r\nBecause PHP scripts are, in essence, plain text files, their creators employ a technique of embedding files,\r\npayloads, and even parts of themselves as large blocks of base64-encoded data. This is done not only to frustrate\r\nanalysis but to make it more difficult for file scanners to detect the true contents of the file. In many cases, the\r\nscripts encode payloads using base64, then are themselves encased in another layer of base64 encoding, which\r\nmay be gzdeflated and/or “ROT13”-ed — or in many cases, all three — to further obfuscate the contents.\r\nhttps://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nPage 3 of 5\n\nPerl scripts are also commonly used as payloads; Many remote shell scripts include as payloads Perl components\r\nthat can bypass firewalls, change directory permissions, or even act as IRC bots themselves, for mass-control of\r\ninfected server botnets. Several remote shells also embed either Windows .exe files or Linux ELF executables —\r\nor, frequently, both — that perform other tasks, such as clearing log files or steal passwords.\r\nWhat do we do now?\r\nWe could talk at length about various products or tools you can use to clean up the mess, but in the case of\r\nmalicious PHP, server security is the name of the game. Without exception, compromised FTP credentials were\r\nthe reason the malicious PHP samples that were sent to me by server administrators ended up on the servers where\r\nthey were found.\r\nBest practices include the use of strong FTP and/or SCP passwords, and changing those passwords on a regular,\r\nfrequent basis. If your organization is able, dedicate a single machine for the purposes of handling Web site\r\nmanagement, and don’t use that machine for any other purpose. One attendee of the talk asked if the procedures\r\nrecommended by OWASP are suitable for defense, and I’d agree that their statement of principles aligns with what\r\nI’d consider good security practices in general.\r\nOf course, if you discover these files in place — you might notice a spike in logs indicating a lot of traffic directed\r\nat an odd directory, such as an images folder, or the server making outbound IRC connections to port 6667\r\nsomewhere — just removing them isn’t enough. You’ll need to change any FTP/SFTP/SCP passwords for all users\r\nwith access to the affected server first. Once that’s accomplished, you can go about the task of cleaning up the\r\nmess without having to worry about it all coming back again.\r\nBlog Staff\r\nAbout the Author\r\nhttps://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nPage 4 of 5\n\nBlog Staff\r\nThe Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home\r\nor business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s\r\ncyber threats.\r\nSource: https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nhttps://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/"
	],
	"report_names": [
		"malicious-php-scripts-on-the-rise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434493,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0369c3c9e557c50b5cf79b2117abd497d148e574.pdf",
		"text": "https://archive.orkl.eu/0369c3c9e557c50b5cf79b2117abd497d148e574.txt",
		"img": "https://archive.orkl.eu/0369c3c9e557c50b5cf79b2117abd497d148e574.jpg"
	}
}