Results 1 to 8 of 8
Thread: Hacked By C99madshell
-
06-02-2011, 07:31 AM #1Newbie
- Join Date
- Mar 2010
- Posts
- 6
Hacked By C99madshell
Hi,
I have a linux based server running cpanel/whm. This morning I found that by doing the site: command in Google on a domain there were thousands of pages listed.
After having a digg around it seems the C99madshell hack was inplace on a wordpress based site. I can't link to the article about it but here's an excerpt-
This being a SUSE box, my apache process is running as the 'wwwrun' user. This is an important point. This script is running as the 'wwwrun' user and is therefore able to do anything that user is allowed to do on the box. Given that my PHP Safe Mode is turned off (4th line down) that means it can run processes, view and change files, and all sorts of other things. The script can navigate anywhere the 'wwwrun' user is allowed to go on the system. There's no chroot here, so navigation targets would include the /etc directory, the web server root files (and therefore all the web application source files), all the regular user's home directories, and so on. If the 'wwwrun' user can see the files, so now can the attacker. All with a point and click interface!
After checking some more domains, it also seems to have appeared on non wordpress sites, even a static html site.
I have 3 cpanel accounts setup, and all the hacked sites belong to one cpanel account.
I have little knowledge on linux, but im trying to establish just how deep the hack goes. I'm 100% sure they have mysql access, but what else could they have access to?
I'm currently trying to find a new host to move my important sites away (that havent been compromosed), but what is the best plan of action here?
THanks for your advice
-
06-02-2011, 07:34 AM #2Web Hosting Evangelist
- Join Date
- Jul 2008
- Posts
- 468
The big question is, do you have backups?
If so, have those backups been compromised also?Clook: Fully Managed UK Based Hosting · CloudFlare Optimised Partner!
Established 12 Years - 24/7/365 Support (<10m Avg. Response Time)
Shared, Reseller, vServer, Dedicated and Beyond
0845 867 2550 ▸ Sales - Visit our Website
-
06-02-2011, 07:36 AM #3Newbie
- Join Date
- Mar 2010
- Posts
- 6
Yes I have taken copys of the backups from the backup folder. Maybe one every 3 weeks or so.
I'm just extracting a couple to see if the hack code is present
-
06-02-2011, 01:09 PM #4Junior Guru
- Join Date
- Feb 2006
- Location
- ::1/128
- Posts
- 247
█ NixPal Software Development | https://nixpal.com
█ Zonecloud.io | DNS Cluster Software for Web Hosts
█ Create DNS Clusters between different Web Hosting Panels - Supports multiple Operating Systems and Panels
-
06-02-2011, 01:25 PM #5Newbie
- Join Date
- Mar 2010
- Posts
- 6
Hi,
Is there an easy way to do that from the command line at all?
I believe I have removed all traces of it, but you never know!
-
06-02-2011, 04:02 PM #6Junior Guru Wannabe
- Join Date
- Sep 2006
- Location
- Montevideo
- Posts
- 82
You can do something like this:
cd /path/to/website && grep -rin -E '(eval|base64|gzinflate|safe_mode|perl|/bin/sh)' *
that will check inside all files in a recursive way for keywords used inside shells and malicious
scripts.
Beside that, you should look at binary files, files that may look similar to the real ones but
with l33t language, like "goog1e1asd09808" trying to simulate another "good" files.
Also if your site/server was compromised you should check in your logs how they've entered your site, and besides that, increase your server security measures (FW/WAF/etc).
I hope it helps.
-
06-03-2011, 11:36 AM #7Aspiring Evangelist
- Join Date
- Aug 2005
- Location
- behind my screen
- Posts
- 402
hi,
You should try to find wheter the server has been rooted or not if yes an os reload is needed as a rooted server cannot be trusted.Also do you allow any file upload functionality on your website ? if so then this is a possible way they got in a php shell c99 (and it's variants) can be uploaded as an image... i won't go in to details but it is possible
running a tool like rkhunter could help you in determining if your server whas rooted or not
-
06-03-2011, 08:40 PM #8Disabled
- Join Date
- Feb 2010
- Location
- Worldwide
- Posts
- 61
Hi,
I work with clients to clear this type of situation quite often, and the cause is virtually always:
1. Compromised FTP password
2. Old wordpress installation or plugin compromised
You can verify whether the first is the cause by asking your host to provide FTP connection records for the past week or more. If you see IP's you don't recognize as uploading files then you'll have your answer.
If not, then the next likely reason is due to an exploitable plugin or old version of wordpress installed within the website in question.
The best way to prevent these sort of situations from becoming an emergency is to move to a web host who does a "free daily malware scan" on all websites. Doing so will ensure you are alerted of these hacks the moment or day they occur so can react accordingly before the situation gets out of control, and/or you lose your Google index position as a result (no fun at all).
Best Wishes,
Jim Walker
The Hack Repair Guy
Similar Threads
-
Can my blog be hacked on shared hosting if my neighbour is hacked?
By zobe in forum Hosting Security and TechnologyReplies: 17Last Post: 03-10-2011, 04:09 AM -
Hacked?
By bear in forum Web Hosting LoungeReplies: 1Last Post: 02-20-2011, 11:48 AM -
Okay so you got hacked
By WeWatch in forum Hosting Security and TechnologyReplies: 2Last Post: 11-18-2008, 12:19 PM -
Paypal got Hacked or my paypal acct got hacked
By chefwong in forum Web Hosting LoungeReplies: 14Last Post: 09-23-2008, 02:48 PM -
Gmail has been hacked. Therefore Paypal and eBay have been hacked as well. HELP
By trexie in forum Web Hosting LoungeReplies: 77Last Post: 04-03-2007, 09:57 AM