Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

PHP Backdoors

PHP Backdoors

fresher_06fresher_06 Member
edited October 2012 in General

Does anybody have heard about PHP backdoors such as c99, c99madshell, r57

Below command gives me lots of files especially in tinymce folder --

grep -iR 'c99' /var/www/

Tagged:

Comments

  • your borked!

    Thanked by 1Asim
  • That's is something I hate when I found it in my shared hosting:p Have you take a look in the code of files? Try to decrypt it, if it's indeed a backdoor, remove it.

    Last time someone hacked my blog, and put a backdoor, I just delete the file, and created new file with the same name, and mock the hacker

    www.erawanarifnugroho.com - powered by Prometeus XenBiz | Server Uptime status - powered by Prometeus Xen Pune
    I'm not working for any providers in here, all my comments just my own opinion.
    Thanked by 2Jack Asim
  • C99 is most likely a shell hack.

    Thanked by 1Asim
  • Yeah, it's definitely a shell hack.

    I'd be sure to check he didn't inject other backdoors into your scripts as well. If he was a smart hacker, he'd most likely embedded another backdoor somewhere in else in your site.

    Link: madirish.net/241

  • My shared hosting got compromised once, was a shitty experience.

    I use http://tuxlite.com to configure all my VPSes and I love it!

  • I have a seperate folder, "phpshells". :3

    Quis custodiet ipsos custodes?
    http://raymii.org - http://sparklingnetwork.nl - Need a VPS Control Panel? http://z1s.org/ - Need a VPS that doesn't suck? https://www.digitalocean.com/?refcode=7435ae6b8212
  • @fresher_06 said: Does anybody have heard about PHP backdoors such as c99, c99madshell, r57

    Below command gives me lots of files especially in tinymce folder --

    grep -iR 'c99' /var/www/

    Take a look at the files to see what kind of code is in them.

    Also have a look for files containing 'eval' or 'base64', especially in the TinyMCE folders. While both of those functions have legitimate functions, they're often signs of trouble.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @Raymii said: I have a seperate folder, "phpshells". :3

    Shaer l00t pl0x //HF-mode

    I use http://tuxlite.com to configure all my VPSes and I love it!

  • joepie91joepie91 Member
    edited October 2012

    @djvdorp said: Shaer l00t pl0x //HF-mode

    I think you took the wrong turn at the WJunction :)

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 1djvdorp
  • ajonesajones Banned
    edited October 2012

    C99 is not a shell hack, its a hack tool created to make a symlink and root a server.

    The ones you want to worry about is auto-symlink because they simlink on run, if you have freebsd, there is a exploit on it to gain root access.

  • Sigh, so much misinformation.

    C99 is a "PHP shell" - its purpose is to allow an attacker that is able to somehow upload the 'shell', to run arbitrary commands, browse the filesystem, etc.

    Some variants of C99 (and there are many) will include exploits, tools for symlinking things, or other nasty stuff. It really just depends on what variant you have on there. Either way, it's most definitely malicious and you'll want to get rid of it.

    @ajones said: C99 is not a shell hack, its a hack tool created to make a symlink and root a server.

    What does symlinking have to do with rooting a server?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • ajonesajones Banned
    edited October 2012

    If you create a symlink you can then exploit freebsd.

  • joepie91joepie91 Member
    edited October 2012

    @ajones said: If you create a symlink you can then exploit freedsb.

    Do you even know what a symlink is? Or FreeBSD (freedsb? wut), for that matter?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • Lol typo :P.

    The matter of fact is I do know what it is, I can give you a detailed guide how to do it if you want.

  • @ajones said: Lol typo :P.

    Or you didn't know that it's called FreeBSD? You made the mistake twice out of two attempts, suggesting poor knowledge rather than a typo. GG.

    VPN.sh - Secure and affordable VPN services

    Thanked by 1ElliotJ
  • Clearly you cannot comprehend typo?

  • @ajones said: Clearly you cannot comprehend typo?

    Clearly you have no reading comprehension?

    @liamwithers said: made the mistake twice out of two attempts, suggesting poor knowledge rather than a typo

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @ajones said: Clearly you cannot comprehend typo?

    Oh wow.

    VPN.sh - Secure and affordable VPN services

  • Ash_HawkridgeAsh_Hawkridge Member
    edited October 2012

    @joepie91 said: Clearly you have no reading comprehension?

    What are you talking about, he's a seasoned HF skid :P (Waits for website to get DDoSd)

  • @djvdorp said: Shaer l00t pl0x //HF-mode

    I think you'd be better of at hf. But still, looking at the code of those thing, a lot have some kind of phone-home system. Better know what you might be up against.

    @liamwithers said: @ajones said: Clearly you cannot comprehend typo?

    Oh wow.

    Maybe @joepie91 is on his period.

    Quis custodiet ipsos custodes?
    http://raymii.org - http://sparklingnetwork.nl - Need a VPS Control Panel? http://z1s.org/ - Need a VPS that doesn't suck? https://www.digitalocean.com/?refcode=7435ae6b8212
  • @raymii lol in wss just trollin a bit, I know what they do :)

    I use http://tuxlite.com to configure all my VPSes and I love it!

  • John_RJohn_R Member
    edited October 2012

    Every server admin needs a copy of a C99 variant.

    Up it to your own space as a normal user and try to root yourself.

    It is just another pentesting tool, you can use it for good or for not-so-good.

  • @John_R said: Every server admin needs a copy of a C99 variant.

    How would you even go about finding a reliable and safe copy of something like this? Would you have to frequent childish 1337 h4x0r f0rumz?

Sign In or Register to comment.