and generally in the /system/helper/ directory. In a couple sites it looks as though it made it onto the server by way of user upload.
Navigating to the page the title bar says "Daniel Kerr" and appears to attempt emailing password to firstname.lastname@example.org. Presumably this is just some idiot attempting to implicate Daniel. I found no evidence of server compromise but it's really hard to say. If anyone wants to study this and offer some feedback on what it might have done or where it came from would be helpful.
The original file comes in the form of a base64 encoded string which gets decoded and executed by eval(). Below I've attempted to attach the original code but it's being blocked.
Can one of the mods please assist in the attachment so we can make this public?
I'd encourage all of you to check your servers "helper" and "download" directories for this malware. You can probably find it regardless of name by going to your docroot in a shell and running:
Code: Select all
grep -Rl 'eval(base64_decode($a))' .