Quote:
Originally Posted by ssri06
What kind of malware is this?
|
It's a PHP shell. It allows the attacker to upload and download files, enable backdoors, query the database, send e-mail, bounce connections and whatever else as the web server user.
Quote:
Originally Posted by ssri06
How serious
|
If it's any good and if it's used for a prolonged period of time w/o the server owner knowing and if the host isn't protected well it could allow the attacker to gain access to the system.
Quote:
Originally Posted by ssri06
and how do I remove it?
|
This file is just a symptom: on removing it may reappear as easily.
You need to address the cause: find out who uploaded it and how.
- Please tell us when this started.
- Please post output from running 'stat' on the file and in which directory it resides.
- List open files, processes, network connections and users:
Code:
'( /usr/sbin/lsof -Pwln 2>&1; /bin/ps acxfwwwe 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1; ) > /path/to/log.txt
- Check your web servers logs for anomalies:
Code:
logwatch.pl --numeric --detail 5 --service all --range All --archives --print 2>&1 >> /path/to/logwatch.txt
* Post anything else worth remarking including OS, distribution, release, software that runs in your web stack (that is: on top of the web server, database and interpreted languages) like bulletin board, web log, shoping cart, statistics or web-based management panel software.