Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: I was hacked :(

  1. #1
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Unhappy I was hacked :(

    Hi all, the other day I was doing a search on Google to see what pages it had indexed of a server I use for web development. And to my surprise I have been hacked

    Quote Originally Posted by loic.net.au/bebo
    Hacked By Rossi I'm Turkish Hacker ~ For isLam
    Sitenizdeki GüvenLik AçikLarini Kapatin
    DostLArim : EL_Muhammed ~ Deep-Blues ~ ufuq
    Allahu Ekber
    It doesn’t surprise me that the page that was “hacked” was hacked. As the content of that page wouldn’t of looked that legitimate, and the content of that page was most likely how they managed this attack.

    The page that was hacked was a page that I was using to educate my little brother and his friends on how easy it is to trick someone via email to get their password for a site… in that example I used bebo “SingIn.htm” I don’t think it displays correctly any more. but you get the idea… but it was a slightly modified version of the original bebo login page which submitted its form to this php script.

    Code:
     <?php
    $user = $_POST["EmailUsername"];
    $pass = $_POST["Password"];
    $ourFileName = $user.".txt";
    $ourFileHandle = fopen($ourFileName, 'w') or die("can't open file");
    fclose($ourFileHandle);
    $myFile = $ourFileName;
    $fh = fopen($myFile, 'w') or die("can't open file");
    $stringData = $user."\n";
    fwrite($fh, $stringData);
    $stringData = $pass."\n";
    fwrite($fh, $stringData);
    fclose($fh);
    ?>
    Now I am almost certain that that is how he got in and did his defacing of my site. But I did find a php file that wasn’t there before. And when I tried to download it to my computer my antivirus picked it up as a backdoor. I cant really work out exactly what it is doing.. I wanted if someone could help shed some light on what happened here?

    I have renamed the “backdoor” from messa.php to messa.txt

    Any help would be greatly appreciated. I just want to understand how this has happened.

    oh yeah, and there is also a file on there named txt.php with the contents
    hacked<br>

    BL4CK-DEV1L

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Search your system for these files:

    "c99sh_bindport.pl" => "c99sh_bindport_pl.txt",
    "c99sh_bindport.c" => "c99sh_bindport_c.txt",
    "c99sh_backconn.pl" => "c99sh_backconn_pl.txt",
    "c99sh_backconn.c" => "c99sh_backconn_c.txt",
    "c99sh_datapipe.pl" => "c99sh_datapipe_pl.txt",
    "c99sh_datapipe.c" => "c99sh_datapipe_c.txt",
    Also, if this is a linux box, you probably shouldn't trust it at this point. Reading through the code, you're pwned.

    It looks like there's some hidden payload that's downloaded, I haven't figured out where it's downloaded to yet, but chances are there's hidden files possibly in the root web.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by streaker69 View Post
    Search your system for these files:



    Also, if this is a linux box, you probably shouldn't trust it at this point. Reading through the code, you're pwned.

    It looks like there's some hidden payload that's downloaded, I haven't figured out where it's downloaded to yet, but chances are there's hidden files possibly in the root web.
    mmmm, i wouldn't even know where to start looking for those files... its a shared host... i only have ftp access to the server, oh and the cpanelx file manager... they probably have more access to it than I do.. lol

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Dissident85 View Post
    mmmm, i wouldn't even know where to start looking for those files... its a shared host... i only have ftp access to the server, oh and the cpanelx file manager... they probably have more access to it than I do.. lol
    It's the C99shell exploit. You can read up on it on several different sites.

    The file you posted is rather complex, and well written. Scary, too bad people with such talent have to use it for bad things.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by streaker69 View Post
    It's the C99shell exploit. You can read up on it on several different sites.

    The file you posted is rather complex, and well written. Scary, too bad people with such talent have to use it for bad things.
    I can see that, I have developed pages in php before, and that file is well over my head!!!

    I think I will setup a linux http & php server and try to run that file and see what happens….

    But I am still curious as to how they got it on there? The php script that I had on there only creates .txt files… how did they get it to write a php file?

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Dissident85 View Post
    I can see that, I have developed pages in php before, and that file is well over my head!!!

    I think I will setup a linux http & php server and try to run that file and see what happens….

    But I am still curious as to how they got it on there? The php script that I had on there only creates .txt files… how did they get it to write a php file?
    It looks like it was downloaded from another source, although I can't be sure. It has images embedded in the file as well. It basically creates all the other pages that you saw on your site.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by streaker69 View Post
    It looks like it was downloaded from another source, although I can't be sure. It has images embedded in the file as well. It basically creates all the other pages that you saw on your site.
    mmmm well i think the best way that i am going to understand this will be to try to recreate the attack...

    but i did find some odd things... such as an iframe containing the contents of this site??? :S http://www.ac66.cn/88/index.htm

    also, would it be wise to contact my host about this? or should i just leave it?

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Dissident85 View Post
    mmmm well i think the best way that i am going to understand this will be to try to recreate the attack...

    but i did find some odd things... such as an iframe containing the contents of this site??? :S http://www.ac66.cn/88/index.htm

    also, would it be wise to contact my host about this? or should i just leave it?
    I would contact them, just in case they need to sanitize anything on their end.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    I have been playing around and trying to recreate this... I found the original c99 shell and i then tried to execute the script. But I think my host may have already prevented it from been run again. I get this error.

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, webmaster@loic.net.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at loic.net.au Port 80
    What are your thoughts?

  10. #10
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Lol just by viewing that txt file norton jumped up on my computer with 'backdoor removed' lol
    &#119;&#116;&#102;&#63;

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •