]]>
"found it";p="5930" wrote:
We are looking into it
Any developments? I managed to delete the file and it has not reappeared for two weeks, but I am naturally concerned that security has already been compromised.We are looking into it
Statistics: Posted Author: Dr. Bantham — Sat Jun 24, 2006 7:06 am
]]>
]]>
]]>
Statistics: Posted Author: Dr. Bantham — Sat Jun 10, 2006 2:58 am
]]>
"IW4";p="9100" wrote:
Y'know, I had this on mine, as well. Out of curiosity, jwernerny, who's your web host?
Y'know, I had this on mine, as well. Out of curiosity, jwernerny, who's your web host?
I am with WB-Hosting now. I did read something that suggested it could be cross loaded from another site on a shared hosts.
Statistics: Posted Author: jwernerny — Fri Jun 09, 2006 5:17 pm
]]>
Link: http://hometown.aol.com/yarivgiladi/musa.php
This is an other stupid "BackDoor Shell Exploit"
Statistics: Posted Author: ArangeL — Fri Jun 09, 2006 4:58 pm
]]>
]]>
We are looking into it
Statistics: Posted Author: found it — Mon May 15, 2006 1:41 am
]]>
c99shell - file- manager through www-brouzer, "zatochenyy" for the breaking.
* you can free of charge skachat' last version on home page of the product:
* the special features:
* + control of local and remote (ftp, samba) faylami/papkami, the sorting
* injection running off it is file and the folders
* (predvoritel'no it upakovyvayetsya/raspakovyvayetsya through tar)
* the moved search (it is possible is inside file)
* modify- Time and access- Time in is file they do not change with the editing (for off. cm #$$filestealth>)
* + the fulfillment of arbitrary PHP- code * + the coder of the data through md5, unix-md5, sha1, crc32, base64 * + the rapid local analysis of safety OS
* + rapid ftp- scanning to bonds login;.login from /.etch/passshd (it usually gives access to 1/100 akkauntov)
* paginal conclusion, sorting, the group operations above BD/tablitsami, control of processes of SQL)
* + script "loves" include: automatically searches for variables with the descriptors and puts them in the references (optsial'no) also it is possible to change $surl (base reference) both through the configuration (forcedly) and through cookie "c99sh_.surl", it goes the auto-record of the value of $set_surl in cookie "set_.surl"
* + the possibility "to zabindit'" to /.bin/basyu to the specific port with the arbitrary password, or to make back connect (it is produced testing soyedeneniya, and they are derived the parameters for starting of NetCat).
* + the possibility of the rapid self-removal of the script * + the avtomatizirovanaya sending of communications about the omissions and the wishes to the author (through mail()) * * is given far from complete list of possibilities.
* * the expected changes: * ~ development sql- manager * ~ the addition of the missing expansions it is file
* * ~ - ~ write about all naydenykh omissions, desired changes and modifications (even about the insignificant!) in ICQ UIN #'shch'shchshchshch or through the division "feedback", will be examined all proposals and wishes.
Statistics: Posted Author: grizzly_cs — Sun May 14, 2006 6:50 pm
]]>
I found something rather disturbing in my backup directory of my php site today. It was a php script that allows anyone access to the backdoor of my site. It is called "musa.php". I did a search of google and of this Integramod2, and didn't see it mentioned anywhere. I am not sure how to block it other then to disable the backups (which I don't want to do, but would rather do then have an unsecure site).
BTW, the only way to remove it seems to be to use it to remove itself.
Anyway, here is the header of the code for the hack with the hope someone can block it.
- John
<?php/********************************************************************************************************* c99shell.php v.1.0 pre-release build #13* Freeware license.* ÂÂÂ © CCTeaM.* c99shell - файл-менеджер через www-броузер, "заточеный" для взлома.* Вы можете бесплатно скачать последнюю версию на домашней страничке продукта]http://ccteam.ru*[/url] ICQ UIN #: 656555** Особенности:* + управление локальными и удаленными (ftp, samba) файлами/папками, сортировка* закачивание скачивание файлов и папок* (предворительно упаковывается/распаковывается через tar)* продвинутый поиск (возможен внутри файлов)* modify-time и access-time у файлов не меняются при редактировании (для откл. см $filestealth)* + выполнение произвольного PHP-кода* + кодировщик данных через md5, unix-md5, sha1, crc32, base64* + быстрый локальный анализ безопасности ОС* + быстрое ftp-сканирование на связки login;login из /etc/passwd (обычно дает доступ к 1/100 аккаунтов)* постраничный вывод, сортировка, групповые операции над БД/таблицами, управление процессами SQL)* + скрипт "любит" include: автоматически ищет переменные с дескрипторами и вставляет их в ссылки (опциально) также можно изменить $surl (базовая ссылка) как через конфигурацию (принудительно) так и через cookie "c99sh_surl", идет авто-запись значения $set_surl в cookie "set_surl"* + возможность "забиндить" /bin/bash на определенный порт с произвольным паролем,* или сделать back connect (производится тестирование соеденения, и выводятся параметры для запуска NetCat).* + возможность быстрого само-удаления скрипта* + автоматизированая отправка сообщений о недоработках и пожеланиях автору (через mail())** Приведен далеко не полный список возможностей.** Ожидаемые изменения:* ~ Развитие sql-менеджера* ~ Добавление недостающих расширений файлов** ~-~ Пишите обо всех найденых недоработках, желаемых изменениях и доработках (даже о самых незначительных!) в ICQ UIN #656555 либо через раздел "feedback", будут рассмотрены все предложения и пожелания.** Last modify: 29.07.2005** ÂÂÂ © Captain Crunch Security TeaM. Coded by tristram********************************************************************************************************/
Statistics: Posted Author: jwernerny — Sun May 14, 2006 5:47 pm
]]>