It happened. Many of my websites on a different server got injected tonight. On every “index.php”, “admin.php”, “config.php” were between 400KB and 1MB big. At the end of each of those files a large list with URLs was appended. And believe me, none of these links contained value.
Before fixing all those files or try to restore them – some even have been copied from one domain to another – I had to find the hole through which the script kiddie broke into my system. Well, that was not that hard. On one of my sites I have an upload form and they are great for such a kind of “hacking”. I copied the file from there and did a little analysis. The tool looks cool, has many features such as by-passing the PHP Safe_Mode (like open the /etc/passwd file), command execution, file upload, an SQL manager, FTP brute forcing and many, many more.
Here is the file header (links non-clickable)
/**************************************************
* Locus7s Modified c100 Shell
* Beta v. 1.0a – Project x2300
* Written by Captain Crunch Team
* Modified by Shadow & Preddy
* Re-Modified by #!physx^ (15.2.07)
*=================================================
* New Modifications Implemented —
+——————————————————–+
* -Added link to Enumerate to escalate priviledges
* -Added Rootshell.c
* -Added Rootshell.c;auto-compiler
* -Execute Rootshell.c
* -Added Mig-Log Logcleaner
* -Execute Mig-Log Logcleaner
* -milw0rm searcher (Grabs OS and searches milw0rm)
* -Locus7s Style & Image
* -Added w4ck1ng Shell Backdoor Connect and Backdoor
* -Added PHP-Proxy link to hide your ass
* -Added your ip and server ip with whois capability
* -Added private 0day released by allahaka which utilizes the linux
* sudo bash to execute a stack overflow.
*=================================================
* FEB. 14, 2007 RELEASE NOTES:
+——————————————————–+
* PRIVATE RELEASE OF C100 SHELL FOR LOCUS7S MEMBERS
* FAILURE TO DO SO WILL RESULT IN LOSS OF VIP
* MEMBERS ACCESS, BAN FROM SITE, AND NO REFUND FOR VIP.
*=================================================
* PRODUCT INFO:
+——————————————————–+
* C100 SHELL CREATED BY CAPTAIN CRUNCH SECURITY TEAM
* WWW.CCTEAM.RU
* C100 SHELL – REVAMPED (X2300) MODIFIED BY LOCUS7S
* UNDERGROUND NETWORK | WWW.LOCUS7S.COM
* \E0T/
****************************************************/
This tool is called “Locus7s Modified c100 Shell“. A Google query lists some security related posts and you can even download it from some sites. For security purposes I strongly suggest you take a look and try to secure your web server against any of such attacks.
strange…
Yes,
I just encountered this myself.
I am an Internet Marketer, and I also do tech support for other Online marketers. This evening, as soon as I got online I received an IM from one of my marketing buddies. They were in a panic that many of their sites had been hacked.
So I decided to look into it for them and I also came across this script.
This script replaced the functions.php file in a wordpress theme file.
Im assuming someone cracked the password for this blog and added the code through the theme editor. Then by using the script, I assume, they modified many wpconfig files that were on this server.
This was a baby croc host gator web account, with about 20 or so blogs. It took me about 3 hours to get everything straightened out.
But In the end, I got my hourly wage, and ended up with a copy of this cool script 🙂
Michael D Price
http://theinsiderslist.com