1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

just got a site hacked... but there is a silver lining...

Discussion in 'Black Hat SEO' started by ukescuba, Mar 29, 2008.

  1. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    this is kinda all theoretical now - and am thinking out loud... and am sure this could be seriously misused and probably get your ass landed in jail... fact i really dont think i have the balls to carry this one through! LOL

    ok the other day i got one of my sites hacked... they defaced the front page... and i couldnt figure out for the life of me how they did it... that was untill i came across of piece of software that had been uploaded to one of the write enabled folders... now if youve used CMS scripts before you will note that you leave some of the folders write enabled, some how this is what entry point they used to upload the file...

    well when i opened the file i was f@cking shocked!!!! I cant explain it better than that... basically this file gave me access to pretty much everything stored on the server - im thinking i was lucky to get away with just having my site defaced...

    anyway cut a long story short - i started playing around with the software and soon realized that you could quite easily change source code of existing files... now if i am right in thinking... you could add links into this code and then upload files to the site... i tested it yes you can upload files to the write enabled folders... and i guess you can put whatever the f#ck you want on there...

    i dont want to disclose the name of the file as im sure there are lots of people with it installed on there servers and open to be hacked and they dont even know it!

    i did a search for it last night and stumbled upon it... i clicked the link and found the interface... now im a little nervous since when i did it i wasnt paying to much attention to the url... and when i looked the thing was on a damn .gov site!!!!!

    so question is - anyone know of this method... anyone used it before... anyone had there asses kicked for using it??? LOL
     
  2. Whisker

    Whisker Moderator Staff Member Moderator Premium Member

    Joined:
    Dec 26, 2007
    Messages:
    994
    Likes Received:
    1,322
    What CMS carryies this exploit?
     
  3. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    its not so much an exploit in the CMS its just that some CMS sites require you to write enable directories... it was in one of these write enabled directories i found the code...

    the site was in development and i had a lot of files write enabled and they replaced my configuration.php file... the scary thing is that this configuration file has all your sql info in and they can quite easily see the login info... i tried it and saw the info - the script even included a sql connection... although thankfully for me i changed the default port address for my mysql connection the day i got the vps account...

    the only real way to protect yourself against this is i guess to lock down all your folders and files...

    whats pretty cool is that i can now use this script to check whats vulnerable on my server... i guess use the tool that they used against you to protect yourself....
     
  4. CoolAdvisor

    CoolAdvisor Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 24, 2008
    Messages:
    977
    Likes Received:
    360
    My website has been hacked two times. They just changed my home page: inserted their trojan downloader :(
     
  5. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    ok guys im not going to distribute the file to anyone but i will advise this:

    1) if you have been hacked look at your timestamps for any files that have been recently changed
    2) if using CMS, message board, installed scripts, etc check any write enabled directories especially image folders...
    3) be careful if you do use warez or nulled software... there is absolutely no way to know if this type of file is getting uploaded or not...

    i guess in theory you could use this for extreme blackhat methods, ie in the warez fields...

    the file can easily be renamed so it could come under any guise... i found a screen shot of it on imageshack... you can get an idea of the functions it can do...

    from my stance its good to know this $hit exists and was able to use it to find other exploits on my account and lock it down... on the other hand it could also be used to exploit many avenues... if you do use it use it as you feel right... to me i had to spend 10 hours making updates to my sites and i was pretty pissed... but in hindsight i do think it made me aware of the vulnerabilities...

    hacking is a serious crime! although i believe my hackers came from turkey and from my understanding there isnt anything i can really do about it legally, i can block there ip addresses but they can always use proxies so whats the point?

    img here: http://img477.imageshack.us/img477/6209/c996vt.gif

    name of the script: c99shell
    filename: can be renamed to anything .php
     
    Last edited: Mar 29, 2008
  6. CoolAdvisor

    CoolAdvisor Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 24, 2008
    Messages:
    977
    Likes Received:
    360
    Thanks ukescuba for sharing great info.

    BTW, may you upload this script for examine?

    Already found
    hxxp://sergeyxl.by.ru/c99.php
     
    Last edited: Mar 29, 2008
  7. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    Hi CA, normally i would not have a problem uploading scripts to share etc - in this instance i dont want to make it any easier for script kiddies to get there hands on it... am sure it can be easily found online...

    i know its important for people to be able to view the code "for research" so maybe ill create a screen shot of it instead... kinda tied up right now but ill see what i can do later tonight,,, :)
     
  8. dabandit

    dabandit Registered Member

    Joined:
    Feb 21, 2008
    Messages:
    87
    Likes Received:
    29
    Mod_Sec and Hardened PHP :)grin1:) are your friends. You can make MySQL use sockets instead of TCP/IP. It's also faster.
     
    Last edited: Mar 30, 2008
  9. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    will look into that thanks!
     
  10. artswerdstone

    artswerdstone Power Member

    Joined:
    Nov 24, 2007
    Messages:
    673
    Likes Received:
    764
    Here are several other exploit shells you should be aware:
    http://hcr.3dn.ru/load/11

    Beside of world write enabled directories, there must be some other vulnerability that lets these shell scripts to be injected into your web storage area.

    It would be very useful to spot these vulnerabilities before any bad things happen.

    Attention nulled scripts users. Some nulled scripts may contain backdoors. Take special care for encoded scripts!
     
  11. depraved

    depraved Newbie

    Joined:
    Jun 16, 2007
    Messages:
    11
    Likes Received:
    1
    I remember I had one of my old sites hacked and they threw up a bunch of pages with links to warez stuff (I thought they were building backlinks?).

    SOB was getting more traffic to these pages than to my main site. I actually considered redirecting this traffic to an adsense page targeting software, but I just went ahead and trashed the site and started over. Maybe next time
     
  12. nme

    nme Junior Member

    Joined:
    Jan 17, 2008
    Messages:
    124
    Likes Received:
    36
    PHP shells are nothing new. I have a collection of about 200. Most of ineffectual if you have safe mode turned on. There's many more tweaks to your php config that you'll want to do besides that though.
     
  13. smithy

    smithy Registered Member

    Joined:
    Oct 28, 2008
    Messages:
    85
    Likes Received:
    2
    Occupation:
    been a full time internet marketer since the days
    Location:
    in a cave
    Hi

    Would anyone know how i can check my website to see if it's been hacked before. I have had someone say they received lots of spam after purchasing an ebook from me and always wondered if there was something on my site. unfortunately im not as computer savy as some and website code is beyond me.

    Thanks
     
  14. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    c99 has been around for a while and now there are other variants on the shell - not the nicest files to find on your boxes either.

    If you have been hacked always have a look in the tmp directory as well as this is where most hackers drop files that do things like go off and grab other trojans etc.