FeeLCoMz is a string I often get a lot of questions about.
Basically, people see it and other strings in their logs, or if they are unlucky, they run into it like this, in a file in their web directories:
Other strings to check for, if you feel you want to run some basic grep checks against web files, include:
“ProGraMMeR”,”CyBeRz” and ”mIRC”
If you find those strings, they usually indicate other PHP scanners, worms or attack tools have compromised the system.
Now, if you don’t find those, it does NOT mean the system is safe, the list of all of those relevant strings would be too large and dynamic to manage.
Another good grep check to parse files for in web directories, especially PHP and text files, if the nearly ubiquitous, “base64_decode“, which is an absolute favorite of PHP bot, shell and malware authors.
Any files you find using that call should be carefully inspected. If you want to find more information on how PHP RFI attacks and other such issues occur, check out these links
Basically, if you find files with the FeeLCoMz tag in it in the web directories, you have some incident response and investigation work to do. Let us know if we can assist, and stay safe out there.
PS – It’s a good idea to have all PHP applications, even common ones like WordPress and the like, assessed prior to deployment. It might just save you some time, hassle and money!
Cross-posted from State of Security