security breach

hello -

this morning i was alerted to a couple of rogue php scripts that mysteriously showed up in two places.

has anybody else seen a script called "n1.php" show up somewhere?

also, is there any source where i can "post" the script for further examination? i will see if ClamAV has something like that, but maybe i should post in other places as well.

i am tempted to create a temporary vps and try running the script & see what it does. i am too lazy to dissect the code.

EDIT:
i looked in all my logs for any reference to "n1.php" and blocked all those IP addresses. also removed n1.php of course.
 
its now in my /home/mark/ directory (n1.php.gz) and also attached (please first rename .zip to .gz)
 

Attachments

  • n1.php.zip
    2.7 KB · Views: 13
Top