New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PHP Backdoors
fresher_06
Member
Does anybody have heard about PHP backdoors such as c99, c99madshell, r57
Below command gives me lots of files especially in tinymce folder --
grep -iR 'c99' /var/www/
Comments
your borked!
That's is something I hate when I found it in my shared hosting:p
Have you take a look in the code of files? Try to decrypt it, if it's indeed a backdoor, remove it.
Last time someone hacked my blog, and put a backdoor, I just delete the file, and created new file with the same name, and mock the hacker
C99 is most likely a shell hack.
Yeah, it's definitely a shell hack.
I'd be sure to check he didn't inject other backdoors into your scripts as well. If he was a smart hacker, he'd most likely embedded another backdoor somewhere in else in your site.
Link: madirish.net/241
My shared hosting got compromised once, was a shitty experience.
I have a seperate folder, "phpshells".
Take a look at the files to see what kind of code is in them.
Also have a look for files containing 'eval' or 'base64', especially in the TinyMCE folders. While both of those functions have legitimate functions, they're often signs of trouble.
Shaer l00t pl0x //HF-mode
I think you took the wrong turn at the WJunction
C99 is not a shell hack, its a hack tool created to make a symlink and root a server.
The ones you want to worry about is auto-symlink because they simlink on run, if you have freebsd, there is a exploit on it to gain root access.
Sigh, so much misinformation.
C99 is a "PHP shell" - its purpose is to allow an attacker that is able to somehow upload the 'shell', to run arbitrary commands, browse the filesystem, etc.
Some variants of C99 (and there are many) will include exploits, tools for symlinking things, or other nasty stuff. It really just depends on what variant you have on there. Either way, it's most definitely malicious and you'll want to get rid of it.
What does symlinking have to do with rooting a server?
If you create a symlink you can then exploit freebsd.
Do you even know what a symlink is? Or FreeBSD (freedsb? wut), for that matter?
Lol typo :P.
The matter of fact is I do know what it is, I can give you a detailed guide how to do it if you want.
Or you didn't know that it's called FreeBSD? You made the mistake twice out of two attempts, suggesting poor knowledge rather than a typo. GG.
Clearly you cannot comprehend typo?
Clearly you have no reading comprehension?
Oh wow.
What are you talking about, he's a seasoned HF skid :P
(Waits for website to get DDoSd)
I think you'd be better of at hf. But still, looking at the code of those thing, a lot have some kind of phone-home system. Better know what you might be up against.
Maybe @joepie91 is on his period.
@raymii lol in wss just trollin a bit, I know what they do
Every server admin needs a copy of a C99 variant.
Up it to your own space as a normal user and try to root yourself.
It is just another pentesting tool, you can use it for good or for not-so-good.
How would you even go about finding a reliable and safe copy of something like this? Would you have to frequent childish 1337 h4x0r f0rumz?