I was hacked :(

[Dissident85]

Hi all, the other day I was doing a search on Google to see what pages it had indexed of a server I use for web development. And to my surprise I have been hacked

Hacked By Rossi I'm Turkish Hacker ~ For isLam
Sitenizdeki GüvenLik AçikLarini Kapatin
DostLArim : EL_Muhammed ~ Deep-Blues ~ ufuq
Allahu Ekber

It doesn’t surprise me that the page that was “hacked” was hacked. As the content of that page wouldn’t of looked that legitimate, and the content of that page was most likely how they managed this attack.

The page that was hacked was a page that I was using to educate my little brother and his friends on how easy it is to trick someone via email to get their password for a site… in that example I used bebo “SingIn.htm” I don’t think it displays correctly any more. but you get the idea… but it was a slightly modified version of the original bebo login page which submitted its form to this php script.

Code:

 <?php
$user = $_POST["EmailUsername"];
$pass = $_POST["Password"];
$ourFileName = $user.".txt";
$ourFileHandle = fopen($ourFileName, 'w') or die("can't open file");
fclose($ourFileHandle);
$myFile = $ourFileName;
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = $user."\n";
fwrite($fh, $stringData);
$stringData = $pass."\n";
fwrite($fh, $stringData);
fclose($fh);
?>

Now I am almost certain that that is how he got in and did his defacing of my site. But I did find a php file that wasn’t there before. And when I tried to download it to my computer my antivirus picked it up as a backdoor. I cant really work out exactly what it is doing.. I wanted if someone could help shed some light on what happened here?

I have renamed the “backdoor” from messa.php to messa.txt

Any help would be greatly appreciated. I just want to understand how this has happened.

oh yeah, and there is also a file on there named txt.php with the contents

hacked<br>

BL4CK-DEV1L

[streaker69]

Search your system for these files:

"c99sh_bindport.pl" => "c99sh_bindport_pl.txt",
"c99sh_bindport.c" => "c99sh_bindport_c.txt",
"c99sh_backconn.pl" => "c99sh_backconn_pl.txt",
"c99sh_backconn.c" => "c99sh_backconn_c.txt",
"c99sh_datapipe.pl" => "c99sh_datapipe_pl.txt",
"c99sh_datapipe.c" => "c99sh_datapipe_c.txt",

Also, if this is a linux box, you probably shouldn't trust it at this point. Reading through the code, you're pwned.

It looks like there's some hidden payload that's downloaded, I haven't figured out where it's downloaded to yet, but chances are there's hidden files possibly in the root web.

[Dissident85]

Search your system for these files:



Also, if this is a linux box, you probably shouldn't trust it at this point. Reading through the code, you're pwned.

It looks like there's some hidden payload that's downloaded, I haven't figured out where it's downloaded to yet, but chances are there's hidden files possibly in the root web.

mmmm, i wouldn't even know where to start looking for those files... its a shared host... i only have ftp access to the server, oh and the cpanelx file manager... they probably have more access to it than I do.. lol

[streaker69]

mmmm, i wouldn't even know where to start looking for those files... its a shared host... i only have ftp access to the server, oh and the cpanelx file manager... they probably have more access to it than I do.. lol

It's the C99shell exploit. You can read up on it on several different sites.

The file you posted is rather complex, and well written. Scary, too bad people with such talent have to use it for bad things.

[Dissident85]

It's the C99shell exploit. You can read up on it on several different sites.

The file you posted is rather complex, and well written. Scary, too bad people with such talent have to use it for bad things.

I can see that, I have developed pages in php before, and that file is well over my head!!!

I think I will setup a linux http & php server and try to run that file and see what happens….

But I am still curious as to how they got it on there? The php script that I had on there only creates .txt files… how did they get it to write a php file?

[streaker69]

I can see that, I have developed pages in php before, and that file is well over my head!!!

I think I will setup a linux http & php server and try to run that file and see what happens….

But I am still curious as to how they got it on there? The php script that I had on there only creates .txt files… how did they get it to write a php file?

It looks like it was downloaded from another source, although I can't be sure. It has images embedded in the file as well. It basically creates all the other pages that you saw on your site.

[Dissident85]

It looks like it was downloaded from another source, although I can't be sure. It has images embedded in the file as well. It basically creates all the other pages that you saw on your site.

mmmm well i think the best way that i am going to understand this will be to try to recreate the attack...

but i did find some odd things... such as an iframe containing the contents of this site??? :S http://www.ac66.cn/88/index.htm

also, would it be wise to contact my host about this? or should i just leave it?

[streaker69]

mmmm well i think the best way that i am going to understand this will be to try to recreate the attack...

but i did find some odd things... such as an iframe containing the contents of this site??? :S http://www.ac66.cn/88/index.htm

also, would it be wise to contact my host about this? or should i just leave it?

I would contact them, just in case they need to sanitize anything on their end.

[Dissident85]

I have been playing around and trying to recreate this... I found the original c99 shell and i then tried to execute the script. But I think my host may have already prevented it from been run again. I get this error.

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@loic.net.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at loic.net.au Port 80

What are your thoughts?

[Andy90]

Lol just by viewing that txt file norton jumped up on my computer with 'backdoor removed' lol