PHP Worm Virus

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
jack_indigo
Forum Contributor
Posts: 186
Joined: Sun Jun 08, 2008 11:25 pm

PHP Worm Virus

Post by jack_indigo »

A friend from the Netherlands who normally does Wordpress stuff sent me the source code to a worm virus that he received. This thing is very dangerous in what damage it could do, or what it could download or do on your website and other parts of the web. Please be on the lookout for a "run.php" file that may or may not be this thing on any of your web hosts. Just thought I'd suggest this to you.

Some parts of the file were:

$curip = $targets[$curtarget][0] + $targetid;
$curip = mylong2ip($curip);
$out = "OPTIONS sip:$curip SIP/2.0\r\n";
$out .= "Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport\r\n";
$out .= "Content-Length: 0\r\n";
$out .= "From: \"siplicious\"<sip:100@1.1.1.1>; tag=0101010113c4\r\n";
$out .= "Accept: application/sdp\r\n";
$out .= "To: \"siplicious\"<sip:100@1.1.1.1>\r\n";
$out .= "Contact: sip:None@127.0.1.1:5060\r\n";
$out .= "CSeq: 1 OPTIONS\r\n";
$out .= "Call-ID: 700556890817406150532338\r\n";
$out .= "Max-Forwards: 70\r\n";
$out .= "\r\n";
socket_sendto($sock, $out, strlen($out), 0, $curip, 5060);
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Re: PHP Worm Virus

Post by infolock »

You should report this to the wordpress team...
mpietras
Forum Newbie
Posts: 1
Joined: Mon Jan 12, 2009 8:21 am

Re: PHP Worm Virus

Post by mpietras »

Hey jack_indigo, I have a SIP server that was recently TARGETED by the script you have and I'm trying to determine more about what it does... can you post the entire script? Or at least the section on how it determines what the $targets[] are and the $targetid? Does it send SIP packets other than OPTIONS, e.g. like trying to make a call perhaps? Thanks a bunch.

Here's what I got:

OPTIONS sip:{myserveripaddr} SIP/2.0
Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport
Content-Length: 0
From: "siplicious"<sip:100@1.1.1.1>; tag=0101010113c4
Accept: application/sdp
To: "siplicious"<sip:100@1.1.1.1>
Contact: sip:None@127.0.1.1:5060
CSeq: 1 OPTIONS
Call-ID: 700556890817406150532338
Max-Forwards: 70
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: PHP Worm Virus

Post by jaoudestudios »

How did it get on the server in the first place? In an update?

And yes, good questions, what damage can it do?
Post Reply