If you are running a website and are using PHP FileManager you can be quite certain that your webserver has been compromised. The reason is, PHP FileManager, sold from Revivedwire, has a backdoor since 2010 along with several other critical security vulnerabilities. Revivedwire has been informed long time ago but since recently still sold PHP FileManager along with the Backdoor and vulnerabilities. Can that be right?
I said “quite certain” because PHP FileManager installations can easily be found using Google (you even don’t need Morpheus or Shodan). As already disclosed,the backdoor username is simply ****__DO_NOT_REMOVE_THIS_ENTRY__**** and the md5 hash for this username is da26c70fc120d803e24bff0c5e5f6bdd. A quick Google search for this hash reveals that the equivalent password for this hash is travan44 .
Using these credentials, additional users can be created with full admin rights, files can be uploaded and executed remotely so one can not only download sensitive files but also get full access to a webserver within seconds.
There are ways to remove this backdoor from an existing installation but because PHP FileManager contains so many additional critical and easy to use security vulnerabilities, the only recommendation I can give is to completely get rid of it.
Don’t trust the evil!