0

Hello! my Avira just detected an infection with PHP/WebShell.A.1. It resides in
C:\Users\Default.Default-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\ and it's called "f_004140".

I don't run any web-server on my computer whatsoever so I have no idea how I got it in here.
Anyways, here's the "source" of the file.
http://pastebin.com/cVzAuS0n
https://mega.co.nz/#!gIJFiCZL!JuTagzrj8TI8nMkDZHPD-SRwu8UYs6Z_blMjkEl-aDE
^ The link to the file itself.

(Scroll down to Raw Paste data). The extension is .file.

I used to run WAMP on my computer but I uninstalled it some time ago.

Any ideas on how to proceed for disinfection from now on? Cheers.

Edited by iwavetostars

2
Contributors
1
Reply
11
Views
3 Years
Discussion Span
Last Post by cereal
0

It means you got this virus from a website you visited with Google Chrome, in this case the PHP script is embedded in a JPEG file, if you open it with an hex editor you will see the code. In this case just empty the cache, this kind of "virus" runs on the webserver and gets executed when the client opens the file only if the file can be handled by the PHP engine.

If you can, try to understand which website was the source and send a report to the owner.

P.S. I tried the script, it's the WSO 2.5 shell.

Edited by cereal

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.