Checking around, there are still traces of this damn PHPRemoteview going around my server, but thanks God, not anymore.
I found a piece of code with a very evil eval code, starting with:
eval(gzinflate(base64_decode('7b3retu2sjD8e+/n2feAsGoiNTrZSdrGjp
thanks to the guys of http://www.tareeinternet.com/scripts/decrypt.php , I figured out the evilness and the code is none less than our dear PHPRemoteview, but modified.
Look for files such wp-feeds-file.php with such evil eval and delete them. Also ensure 0755 or 0644 permissions for your folders and 0744 for your files, and for the sake of God, UPDATE YOUR TIMTHUMB.PHP LIBRARY!!!!
Now some characteristics of this evil eval.
The first impression I got is that this program intend to hijack your root mysql use. so be careful: always make a strong encrypted password for your root, and avoid at all cost any mysql user without password:
Be careful, it may hijack your MySQL databases if you are not careful enough...
This malware php script is capable of many things once the script take control of your site. for the mere example, it can execute kernel attacks, decrypt winnt passwords and observe over all your apache configurations:
Be prepared for a long night, this guys are going serious against your server...
If you are not careful enough, they will catch even your server passwords...
My second and final impression is that this mime of PHPremoteview can be able to crawl all our directories and files under your www-data. Once it is infected, there is nothing you can stop it.
Alternatively, the program may allow you to run bash commands to let to the hacker know parameters such processes, ports, OS version, etc etc etc…
The hacker will be able to execute and run bash commands if your permissions are not well set up...
If you feel paranoic about your security, I suggest you to run all your folders under 644 permissions as well your files. of course, tweaks related to permissions should me made with some frequency, but at least it will protect you in a very restrictive way.
Also thanks to unkn0wn_h4ck3r[@]yahoo.com that make my nights longer for the last two weeks. I’m sure I learned something through this experience.
Comments