Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


PHP Backdoors
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PHP Backdoors

fresher_06fresher_06 Member
edited October 2012 in General

Does anybody have heard about PHP backdoors such as c99, c99madshell, r57

Below command gives me lots of files especially in tinymce folder --

grep -iR 'c99' /var/www/

Comments

  • your borked!

    Thanked by 1Asim
  • That's is something I hate when I found it in my shared hosting:p
    Have you take a look in the code of files? Try to decrypt it, if it's indeed a backdoor, remove it.

    Last time someone hacked my blog, and put a backdoor, I just delete the file, and created new file with the same name, and mock the hacker

    Thanked by 2DeletedUser Asim
  • C99 is most likely a shell hack.

    Thanked by 1Asim
  • Yeah, it's definitely a shell hack.

    I'd be sure to check he didn't inject other backdoors into your scripts as well. If he was a smart hacker, he'd most likely embedded another backdoor somewhere in else in your site.

    Link: madirish.net/241

  • My shared hosting got compromised once, was a shitty experience.

  • I have a seperate folder, "phpshells". :3

  • joepie91joepie91 Member, Patron Provider

    @fresher_06 said: Does anybody have heard about PHP backdoors such as c99, c99madshell, r57

    Below command gives me lots of files especially in tinymce folder --

    grep -iR 'c99' /var/www/

    Take a look at the files to see what kind of code is in them.

    Also have a look for files containing 'eval' or 'base64', especially in the TinyMCE folders. While both of those functions have legitimate functions, they're often signs of trouble.

  • @Raymii said: I have a seperate folder, "phpshells". :3

    Shaer l00t pl0x //HF-mode

  • joepie91joepie91 Member, Patron Provider
    edited October 2012

    @djvdorp said: Shaer l00t pl0x //HF-mode

    I think you took the wrong turn at the WJunction :)

    Thanked by 1djvdorp
  • ajonesajones Banned
    edited October 2012

    C99 is not a shell hack, its a hack tool created to make a symlink and root a server.

    The ones you want to worry about is auto-symlink because they simlink on run, if you have freebsd, there is a exploit on it to gain root access.

  • joepie91joepie91 Member, Patron Provider

    Sigh, so much misinformation.

    C99 is a "PHP shell" - its purpose is to allow an attacker that is able to somehow upload the 'shell', to run arbitrary commands, browse the filesystem, etc.

    Some variants of C99 (and there are many) will include exploits, tools for symlinking things, or other nasty stuff. It really just depends on what variant you have on there. Either way, it's most definitely malicious and you'll want to get rid of it.

    @ajones said: C99 is not a shell hack, its a hack tool created to make a symlink and root a server.

    What does symlinking have to do with rooting a server?

  • ajonesajones Banned
    edited October 2012

    If you create a symlink you can then exploit freebsd.

  • joepie91joepie91 Member, Patron Provider
    edited October 2012

    @ajones said: If you create a symlink you can then exploit freedsb.

    Do you even know what a symlink is? Or FreeBSD (freedsb? wut), for that matter?

  • Lol typo :P.

    The matter of fact is I do know what it is, I can give you a detailed guide how to do it if you want.

  • VPNshVPNsh Member, Host Rep

    @ajones said: Lol typo :P.

    Or you didn't know that it's called FreeBSD? You made the mistake twice out of two attempts, suggesting poor knowledge rather than a typo. GG.

    Thanked by 1ElliotJ
  • Clearly you cannot comprehend typo?

  • joepie91joepie91 Member, Patron Provider

    @ajones said: Clearly you cannot comprehend typo?

    Clearly you have no reading comprehension?

    @liamwithers said: made the mistake twice out of two attempts, suggesting poor knowledge rather than a typo

  • VPNshVPNsh Member, Host Rep

    @ajones said: Clearly you cannot comprehend typo?

    Oh wow.

  • Ash_HawkridgeAsh_Hawkridge Member
    edited October 2012

    @joepie91 said: Clearly you have no reading comprehension?

    What are you talking about, he's a seasoned HF skid :P
    (Waits for website to get DDoSd)

  • @djvdorp said: Shaer l00t pl0x //HF-mode

    I think you'd be better of at hf. But still, looking at the code of those thing, a lot have some kind of phone-home system. Better know what you might be up against.

    @liamwithers said: @ajones said: Clearly you cannot comprehend typo?

    Oh wow.

    Maybe @joepie91 is on his period.

  • @raymii lol in wss just trollin a bit, I know what they do :)

  • John_RJohn_R Member
    edited October 2012

    Every server admin needs a copy of a C99 variant.

    Up it to your own space as a normal user and try to root yourself.

    It is just another pentesting tool, you can use it for good or for not-so-good.

  • @John_R said: Every server admin needs a copy of a C99 variant.

    How would you even go about finding a reliable and safe copy of something like this? Would you have to frequent childish 1337 h4x0r f0rumz?

Sign In or Register to comment.