Suspicious behaviour: phpRemoteView (RemView) Suspicious behaviour: phpRemoteView (RemView)
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Suspicious behaviour: phpRemoteView (RemView)

Started by GlennP, December 20, 2005, 12:32:03 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

GlennP

Hi,

I have had someone place a file on my server called a.php.rm. When I remove the .rm it seems to be a valid php file - but I don't like the look of it!

The header is:
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*
*  Welcome to phpRemoteView (RemView)
*
*  View/Edit remove file system:
*  - view index of directory (/var/log - view logs, /tmp - view PHP sessions)
*  - view name, size, owner:group, perms, modify time of files
*  - view html/txt/image/session files
*  - download any file and open on Notepad
*  - create/edit/delete file/dirs
*  - executing any shell commands and any PHP-code
*
*  Free download from http://php.spb.ru/remview/
*  Version 04, 2002-08-24.
*  Please, report bugs...
*
*  This programm for Unix/Windows system.
*
*  (c) Dmitry Borodin, dima@php.spb.ru, http://php.spb.ru
*


Can anyone advise?

Joachim Müller

has been asked before, please search the board for details: on some improperly configured webservers, files with the extension .rm are being parsed as php files. Somebody has indeed beeen trying to attack your site. No saying if the attack was successful. For now, disable the use of files with the extension rm and ram in coppermine's filetypes table, and ask your webhost for support if the vulnerability exists on the server you're hosted on. Delete the suspicious files at once.

GlennP

Thanks - I did search but failed to find anything.