A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via Apache modules. The rootkit is 80 lines of code, and an attacker could easily hide it in legitimate modules. To prevent such attacks, developer Luke Paris has a series of recommendations for server owners. Paris’ test rootkit hooks into the PHP server’s “hash”” and “”sha1″” functions. PHP rootkits are cross-platform
Source: security