PHP Virus Attacking Web Hosts

Symantec have a report of the virus here.

I’ve yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it.

From examining the infected scripts, what’s disturbing is once infected, every time a script is executed, the virus goes on a hunt for other web sites using PHP to see if it can trick them into executing the virus, thereby spreading it further directly over the Internet. Although the spread it likely to be slow, it can takes place automatically, without your intervention!

If your site contains code like;

// index.php
include $_GET['page'];

You need to take action now – your site could be infected with a URL like;

A simple way to validate is;

$pages = array('news','articles','blog');
if ( in_array($_GET['page'], $pages) ) {
    include $_GET['php'] . '.php';
} else {
    include 'home.php';

Sitepoint have taken the extreme but necessary approach of upgrading to .NET in response.