Suspicious behaviour: phpRemoteView (RemView)

[GlennP]

Hi,

I have had someone place a file on my server called a.php.rm. When I remove the .rm it seems to be a valid php file - but I don't like the look of it!

The header is:

Code Select Expand

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*
*  Welcome to phpRemoteView (RemView)
*
*  View/Edit remove file system:
*  - view index of directory (/var/log - view logs, /tmp - view PHP sessions)
*  - view name, size, owner:group, perms, modify time of files
*  - view html/txt/image/session files
*  - download any file and open on Notepad
*  - create/edit/delete file/dirs
*  - executing any shell commands and any PHP-code
*
*  Free download from http://php.spb.ru/remview/
*  Version 04, 2002-08-24.
*  Please, report bugs...
*
*  This programm for Unix/Windows system.
*
*  (c) Dmitry Borodin, dima@php.spb.ru, http://php.spb.ru
*


Can anyone advise?

[Joachim Müller]

has been asked before, please search the board for details: on some improperly configured webservers, files with the extension .rm are being parsed as php files. Somebody has indeed beeen trying to attack your site. No saying if the attack was successful. For now, disable the use of files with the extension rm and ram in coppermine's filetypes table, and ask your webhost for support if the vulnerability exists on the server you're hosted on. Delete the suspicious files at once.

[GlennP]

Thanks - I did search but failed to find anything.