r57Shell

[MrGusMuller]

Hi u all!

I'm having this issue at programs url.
When I try to access to a promo tool, the link leads me to an URL that gives me access to admin page 'r57Shell'.
This is a little weird!
I get this URL from their NATs program. Anyone trying to access that tool will also see it and my try to cause some troubles i guess...




I havent received any email confirming my subscription to their nats system.
I have sent a support ticket warning them.


Best regards

[HomerSimpson]

webair.com....
why am I not supprised...

[directfiesta]

That shell script gives root acess to your server :

http://www.nullamatix.com/find-r57-a...and-txt-files/

Do a rootkit scan and address this urgently

[u-Bob]

I guess someone needs to reinstall his server....

[MrGusMuller]

I have sent a support mail ...
i will try to talk with the owner here...

[MMarko]

Quote:

Originally Posted by directfiesta

That shell script gives root acess to your server :

http://www.nullamatix.com/find-r57-a...and-txt-files/

Do a rootkit scan and address this urgently

Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.

[ladida]

Quote:

Originally Posted by MMarko

Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.

Truth, except for the vulnerability.

[v0id]

looks like that NATS install is on a virtual plan?

[MasterM]

check your installed scripts for exploits and updates asap.
but probably there are more scripts like that on your server or their server

if its a dedicated and you are the owner.
turn on safe mode... or turn it on temp. before the get deeper

[MrGusMuller]

Its not mine.
I'm just an affiliated.
I'm sent an email to the programs support, added the owner to ICQ and I have sent a message to him here in GFY...
cant get in contact with him.

How does NATs handels with password? I guess that is saved on a database and not encoded by md5 or something :S

[u-Bob]

The attacker was able to install that r57shell script. That does tell you one thing: the server has been compromised. It doesn't tell you how they got in, what they did or what level of access they eventually acquired.

Once you've determined that the server has been compromised, there is one thing you absolutely need to do: wipe and reinstall the server.

While going through your logs, scanning for rootkits, auditing your scripts etc is recommended to find out more information about how they got in. Information you can use to prevent future compromises, but it does not change the fact that the server needs to be reinstalled.

A system that has been compromised is a system that can no longer be trusted.

[MrGusMuller]

The server is not mine.
I'm just a lousy webmaster that registered on the server's owner NATs program, and that the RSS links send me to the r57shell script...

i'm afraid that my password may have been stolen..

[MasterM]

once you got a c99 or r57 shell on the box , you can get all data , logs , databases etc. everything on that box

[cooldude7]

u r screwed

[MrGusMuller]

I'm going to warn that webair guy that uses GFY!...

[MrGusMuller]

Quote:

Originally Posted by cooldude7

u r screwed

me and all the other program's affiliates.

[webair]

Quote:

Originally Posted by HomerSimpson

webair.com....
why am I not supprised...

dick =)
------------------------


Looks like they got in via a vulnerable script.
Thanks for the report MrGusMuller and for contacting me. I got my guys on it now.

[MrGusMuller]

I have warned the webair, and few minutes later the problem was corrected.



Now, to anyone who might me interested, the affiliated program was HYPEDOUGH.COM.
I was able to read the wp-config.php and see the username/password for the database.

[MasterM]

it probably was wordpress which was exploited, last version had vulnerabilities

[V_RocKs]

Usually it is a forum or a support form coded in 1998.

[directfiesta]

Quote:

Originally Posted by V_RocKs

Usually it is a forum or a support form coded in 1998.

or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

As U-Bob stated, once a box is compromised , it is better to reinstall OS.
Accounts could always be moved to another box, but must be clean of the shell script.

[MrGusMuller]

Quote:

Originally Posted by directfiesta

or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

As U-Bob stated, once a box is compromised , it is better to reinstall OS.
Accounts could always be moved to another box, but must be clean of the shell script.

The wp-config.php that I have read had STRANGE embebed code!
I'v warned webair guys 'cause no one from HYPE has said anything to me.
Are they on vacations?

Quote:

hypedough
Registered User
Last Activity: Today 09:09 AM

[cooldude7]

Quote:

Originally Posted by MasterM

it probably was wordpress which was exploited, last version had vulnerabilities

damn gotta update all wordpress blogs.