System Compromise: What the Heck is a FeeLCoMz String?

Friday, February 03, 2012

Brent Huston

E313765e3bec84b2852c1c758f7244b6

 

FeeLCoMz is a string I often get a lot of questions about.  

Basically, people see it and other strings in their logs, or if they are unlucky, they run into it like this, in a file in their web directories:  

Basically, if this is in the file system, then the system has been compromised, usually by a PHP RFI vulnerability.

Other strings to check for, if you feel you want to run some basic grep checks against web files, include:   

“FaTaLz”,”KinCay”,”CreWz”,”TeaM”,”CoMMunity”,”AnoNyMous”,”Music”, “ProGraMMeR”,”CyBeRz” and ”mIRC”

If you find those strings, they usually indicate other PHP scanners, worms or attack tools have compromised the system.

Now, if you don’t find those, it does NOT mean the system is safe, the list of all of those relevant strings would be too large and dynamic to manage.   

Another good grep check to parse files for in web directories, especially PHP and text files, if the nearly ubiquitous, “base64_decode“, which is an absolute favorite of PHP bot, shell and malware authors.

Any files you find using that call should be carefully inspected.  If you want to find more information on how PHP RFI attacks and other such issues occur, check out these links 

Basically, if you find files with the FeeLCoMz tag in it in the web directories, you have some incident response and investigation work to do. Let us know if we can assist, and stay safe out there.   

PS – It’s a good idea to have all PHP applications, even common ones like WordPress and the like, assessed prior to deployment. It might just save you some time, hassle and money!  

Cross-posted from State of Security

Possibly Related Articles:
10184
Network->General
Information Security
virus malware Application Security Worm Vulnerabilities Scanners Tools RFI PHP Exploits Network Security infection Brent Huston FeeLCoMz bots
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.