Here Avast is one of the few to detect!

p(nil): PHP.Flooder.A ARIN US ipabusereport2 at liquidnetlimited dot com 162.210.101.98 to 162.210.101.98 50webs dot com htxp://belakshell.50webs.com/function.php?act=phptools
See: https://www.virustotal.com/nl/url/2ff244e5489a1e4857ef08411d961f8eb92e67cacd80cfdb5e08040c5f874cce/analysis/1438703264/
and Avast detects: https://www.virustotal.com/nl/file/2e45374a6122e9c704e8fbac128b0b3eb3c379f42dede03f302f9363c89c6439/analysis/1373880838/ as PHP:Flooder-A [Trj] only one of four to detect :slight_smile:

polonus

that file scan is old Analysis date: 2013-07-15 09:33:58 UTC ( 2 years ago )

however a fresh scan 2015-08-04 16:06:25 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/2e45374a6122e9c704e8fbac128b0b3eb3c379f42dede03f302f9363c89c6439/analysis/1438704385/

strange it is still there after 2 years … and only change is detection from two AV engines

Norman/BlueCoat confirms detection and added as function.php > Flooder.FD

Hi Pondus,

Protection for websites against this can be found by using a token to validate the source of the flooding coming from that origin and not a malicious attacker. Important is the fact to invalidate the valid token once it has been used, how this is done can be read here (also all info credits go there of course): http://stackoverflow.com/questions/3026640/quick-and-easy-flood-protection
See: http://v.virscan.org/PHP/Flooder.Agent.NAA%20virus.html
Also read what Tony Perez has to say here: https://blog.sucuri.net/2011/10/remove-unsused-testing-debug-software-from-your-site.html

The PHP “base64_decode” function is more popular in attacks, because it allows the hacker to encrypt malicious coding statements. The “base64_decode” function decrypts the code upon execution, so it is only seen when the code is opened in a web browser. This PHP function is typically used to include hidden links to malicious websites. Usually, the hacker places the malicious code several lines below the main content, so the webmaster misses the statements. Make sure you scroll all the way to the bottom to find the malicious statements. The following code is a random example of a PHP hack you can find on hacked web pages:

eval(base64_decode($_SERVER57F))%32%5E|.+)

All of the code after the “_SERVER” statement is encrypted code. In this instance, you must delete the entire line of code to remove the hack.

Quote taken from SiteLock Word Press Blog.

polonus