Results 1 to 8 of 8
  1. #1

    Hacked By C99madshell

    Hi,

    I have a linux based server running cpanel/whm. This morning I found that by doing the site: command in Google on a domain there were thousands of pages listed.

    After having a digg around it seems the C99madshell hack was inplace on a wordpress based site. I can't link to the article about it but here's an excerpt-

    This being a SUSE box, my apache process is running as the 'wwwrun' user. This is an important point. This script is running as the 'wwwrun' user and is therefore able to do anything that user is allowed to do on the box. Given that my PHP Safe Mode is turned off (4th line down) that means it can run processes, view and change files, and all sorts of other things. The script can navigate anywhere the 'wwwrun' user is allowed to go on the system. There's no chroot here, so navigation targets would include the /etc directory, the web server root files (and therefore all the web application source files), all the regular user's home directories, and so on. If the 'wwwrun' user can see the files, so now can the attacker. All with a point and click interface!

    After checking some more domains, it also seems to have appeared on non wordpress sites, even a static html site.

    I have 3 cpanel accounts setup, and all the hacked sites belong to one cpanel account.

    I have little knowledge on linux, but im trying to establish just how deep the hack goes. I'm 100% sure they have mysql access, but what else could they have access to?

    I'm currently trying to find a new host to move my important sites away (that havent been compromosed), but what is the best plan of action here?

    THanks for your advice

  2. #2
    Join Date
    Jul 2008
    Posts
    468
    The big question is, do you have backups?
    If so, have those backups been compromised also?
    Clook: Fully Managed UK Based Hosting · CloudFlare Optimised Partner!
    Established 12 Years - 24/7/365 Support (<10m Avg. Response Time)
    Shared, Reseller, vServer, Dedicated and Beyond
    0845 867 2550 Sales - Visit our Website

  3. #3
    Yes I have taken copys of the backups from the backup folder. Maybe one every 3 weeks or so.

    I'm just extracting a couple to see if the hack code is present

  4. #4
    Join Date
    Feb 2006
    Location
    ::1/128
    Posts
    247
    Quote Originally Posted by mwoody View Post
    Yes I have taken copys of the backups from the backup folder. Maybe one every 3 weeks or so.

    I'm just extracting a couple to see if the hack code is present
    Mass search all files for common keywords,
    eval, base64_decode, c99, perl and so on...

    Common practice to "hide" backdoors in another php files, png or gif files
    in other places (subdirectories, template directories etc..)
    █ NixPal Software Development | https://nixpal.com
    █ Zonecloud.io | DNS Cluster Software for Web Hosts
    █ Create DNS Clusters between different Web Hosting Panels - Supports multiple Operating Systems and Panels

  5. #5
    Hi,

    Is there an easy way to do that from the command line at all?

    I believe I have removed all traces of it, but you never know!

  6. #6
    Join Date
    Sep 2006
    Location
    Montevideo
    Posts
    82
    You can do something like this:

    cd /path/to/website && grep -rin -E '(eval|base64|gzinflate|safe_mode|perl|/bin/sh)' *

    that will check inside all files in a recursive way for keywords used inside shells and malicious
    scripts.

    Beside that, you should look at binary files, files that may look similar to the real ones but
    with l33t language, like "goog1e1asd09808" trying to simulate another "good" files.

    Also if your site/server was compromised you should check in your logs how they've entered your site, and besides that, increase your server security measures (FW/WAF/etc).

    I hope it helps.

  7. #7
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    hi,

    You should try to find wheter the server has been rooted or not if yes an os reload is needed as a rooted server cannot be trusted.Also do you allow any file upload functionality on your website ? if so then this is a possible way they got in a php shell c99 (and it's variants) can be uploaded as an image... i won't go in to details but it is possible

    running a tool like rkhunter could help you in determining if your server whas rooted or not

  8. #8
    Join Date
    Feb 2010
    Location
    Worldwide
    Posts
    61

    *

    Quote Originally Posted by mwoody View Post
    Hi,
    I have a linux based server running cpanel/whm. This morning I found that by doing the site: command in Google on a domain there were thousands of pages listed.
    After checking some more domains, it also seems to have appeared on non wordpress sites, even a static html site.

    I have 3 cpanel accounts setup, and all the hacked sites belong to one cpanel account.

    I have little knowledge on linux, but im trying to establish just how deep the hack goes. I'm 100% sure they have mysql access, but what else could they have access to?

    I'm currently trying to find a new host to move my important sites away (that havent been compromosed), but what is the best plan of action here?

    THanks for your advice

    Hi,
    I work with clients to clear this type of situation quite often, and the cause is virtually always:
    1. Compromised FTP password
    2. Old wordpress installation or plugin compromised

    You can verify whether the first is the cause by asking your host to provide FTP connection records for the past week or more. If you see IP's you don't recognize as uploading files then you'll have your answer.

    If not, then the next likely reason is due to an exploitable plugin or old version of wordpress installed within the website in question.

    The best way to prevent these sort of situations from becoming an emergency is to move to a web host who does a "free daily malware scan" on all websites. Doing so will ensure you are alerted of these hacks the moment or day they occur so can react accordingly before the situation gets out of control, and/or you lose your Google index position as a result (no fun at all).

    Best Wishes,
    Jim Walker
    The Hack Repair Guy

Similar Threads

  1. Can my blog be hacked on shared hosting if my neighbour is hacked?
    By zobe in forum Hosting Security and Technology
    Replies: 17
    Last Post: 03-10-2011, 04:09 AM
  2. Hacked?
    By bear in forum Web Hosting Lounge
    Replies: 1
    Last Post: 02-20-2011, 11:48 AM
  3. Okay so you got hacked
    By WeWatch in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-18-2008, 12:19 PM
  4. Paypal got Hacked or my paypal acct got hacked
    By chefwong in forum Web Hosting Lounge
    Replies: 14
    Last Post: 09-23-2008, 02:48 PM
  5. Replies: 77
    Last Post: 04-03-2007, 09:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •