Hello, welcome to the Monday, July 22nd, 2019 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today, I'm recording from Jacksonville, Florida.

This weekend, Xavier presented a new version of an old favorite, PHP malware.

With PHP being installed on many Linux systems and also some Windows systems and vulnerable

PHP sites, of course, being a common issue in exposed web servers.

PHP has never really gone away as a platform to create malware,

in particular to attack these types of servers.

But the malware found typically isn't as exciting as new malware families written in

PowerShell and JavaScript and well, maybe even Python.

Xavier found this example on Pastebin.

The example he found has a couple of interesting features.

It appears to be targeting WordPress sites.

So again, there is your PHP link and not only has a blacklist

of IP addresses, it won't attack because, for example, they appear to be owned by security

companies. That's something you see very often in malware, but it also checks Google's safe

browsing API to make sure it doesn't bother

to infect a site that is already blacklisted.

This is likely a very common problem for this type of malware because, but here these

word press scans, they're ubiquitous, it's by far the top sort of scan. I'm seen against

the web servers. So if someone comes across a vulnerable web server, well, there's a good chance

it already has been infected and as a result may already be blacklisted. And by the way, talking about web application vulnerabilities,

...