IntegraMOD

[jwernerny]

Hey guys,

I found something rather disturbing in my backup directory of my php site today. It was a php script that allows anyone access to the backdoor of my site. It is called "musa.php". I did a search of google and of this Integramod2, and didn't see it mentioned anywhere. I am not sure how to block it other then to disable the backups (which I don't want to do, but would rather do then have an unsecure site).

BTW, the only way to remove it seems to be to use it to remove itself.

Anyway, here is the header of the code for the hack with the hope someone can block it.

- John

Code: Select all

 <?php/*********************************************************************************************************                    c99shell.php v.1.0 pre-release build #13*                            Freeware license.*                                ÃƒÆ’‚ © CCTeaM.*  c99shell - файл-менеджер через www-броузер, "заточеный" для взлома.*  Вы можете бесплатно скачать последнюю версию на домашней страничке продукта]http://ccteam.ru*[/url]  ICQ UIN #: 656555**  Особенности:*  + управление локальными и удаленными (ftp, samba) файлами/папками, сортировка*    закачивание скачивание файлов и папок*    (предворительно упаковывается/распаковывается через tar)*    продвинутый поиск (возможен внутри файлов)*    modify-time и access-time у файлов не меняются при редактировании (для откл. см $filestealth)*  + выполнение произвольного PHP-кода*  + кодировщик данных через md5, unix-md5, sha1, crc32, base64*  + быстрый локальный анализ безопасности ОС*  + быстрое ftp-сканирование на связки login;login из /etc/passwd (обычно дает доступ к 1/100 аккаунтов)*    постраничный вывод, сортировка, групповые операции над БД/таблицами, управление процессами SQL)*  + скрипт "любит" include: автоматически ищет переменные с дескрипторами и вставляет их в ссылки (опциально)      также можно изменить $surl (базовая ссылка) как через конфигурацию (принудительно) так и через cookie "c99sh_surl",      идет авто-запись значения $set_surl в cookie "set_surl"*  + возможность "забиндить" /bin/bash на определенный порт с произвольным паролем,*    или сделать back connect (производится тестирование соеденения, и выводятся параметры для запуска NetCat).*  + возможность быстрого само-удаления скрипта*  + автоматизированая отправка сообщений о недоработках и пожеланиях автору (через mail())**    Приведен далеко не полный список возможностей.**   Ожидаемые изменения:*  ~ Развитие sql-менеджера*  ~ Добавление недостающих расширений файлов**  ~-~ Пишите обо всех найденых недоработках, желаемых изменениях и доработках (даже о самых незначительных!)        в ICQ UIN #656555 либо через раздел "feedback", будут рассмотрены все предложения и пожелания.**  Last modify: 29.07.2005**  ÃƒÆ’‚ © Captain Crunch Security TeaM. Coded by tristram********************************************************************************************************/    

[grizzly_cs]

Break down in english

c99shell - file- manager through www-brouzer, "zatochenyy" for the breaking.
* you can free of charge skachat' last version on home page of the product:

* the special features:

* + control of local and remote (ftp, samba) faylami/papkami, the sorting

* injection running off it is file and the folders

* (predvoritel'no it upakovyvayetsya/raspakovyvayetsya through tar)

* the moved search (it is possible is inside file)

* modify- Time and access- Time in is file they do not change with the editing (for off. cm #$$filestealth>)

* + the fulfillment of arbitrary PHP- code * + the coder of the data through md5, unix-md5, sha1, crc32, base64 * + the rapid local analysis of safety OS

* + rapid ftp- scanning to bonds login;.login from /.etch/passshd (it usually gives access to 1/100 akkauntov)

* paginal conclusion, sorting, the group operations above BD/tablitsami, control of processes of SQL)

* + script "loves" include: automatically searches for variables with the descriptors and puts them in the references (optsial'no) also it is possible to change $surl (base reference) both through the configuration (forcedly) and through cookie "c99sh_.surl", it goes the auto-record of the value of $set_surl in cookie "set_.surl"

* + the possibility "to zabindit'" to /.bin/basyu to the specific port with the arbitrary password, or to make back connect (it is produced testing soyedeneniya, and they are derived the parameters for starting of NetCat).

* + the possibility of the rapid self-removal of the script * + the avtomatizirovanaya sending of communications about the omissions and the wishes to the author (through mail()) * * is given far from complete list of possibilities.


* * the expected changes: * ~ development sql- manager * ~ the addition of the missing expansions it is file

* * ~ - ~ write about all naydenykh omissions, desired changes and modifications (even about the insignificant!) in ICQ UIN #'shch'shchshchshch or through the division "feedback", will be examined all proposals and wishes.

[found it]

hi

We are looking into it

[IW4]

Y'know, I had this on mine, as well. Out of curiosity, jwernerny, who's your web host?

[ArangeL]

I found the file.

Link: http://hometown.aol.com/yarivgiladi/musa.php

This is an other stupid "BackDoor Shell Exploit"

[jwernerny]

Y'know, I had this on mine, as well. Out of curiosity, jwernerny, who's your web host?

I am with WB-Hosting now. I did read something that suggested it could be cross loaded from another site on a shared hosts.

[Dr. Bantham]

I have it! I deleted my backup directory in entirety until I know what is going on. It has been there since April Fool's Day (seriously) and had edited all of the PHP files in the backup directory, according to the time stamp. However, according to the translation above, it has the ability to inject files and not change the timestamp. I am super-paranoid at this point. Should I be changing my passwords for IntegraMOD and/or my server host? Is this a destructive trojan or is it fishing for sensitive information. Help!

[Dr. Bantham]

Has anyone else found this file on their server? The file and the modified files were all stamped April 1st on my server. Is this a joke or a coincidence? It seems strange that there is not more information available. I am going to upload my backup directory from scratch again and keep an eye out. Any advice?

[grizzly_cs]

I have not.....

[Dr. Bantham]

We are looking into it

Any developments? I managed to delete the file and it has not reappeared for two weeks, but I am naturally concerned that security has already been compromised.

[itunes66]

was in mine to, check your root folder (/) of your host it had put a file there, so i deleted it and musa.php