Announcement

Collapse
No announcement yet.

I Got Shell in Admincp !!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] I Got Shell in Admincp !!

    I use vb 4.1.4 and I have been surviving with a shell for 2 months.The shell destination is domain/admincp/subscriptions.php.It is named as ''!C99madShell v. 2.0 madnet edition!'' but my site has no damage for now,i just saw it when in admincp.My site's version was 4.1.2 when i first saw this,but although i upgrade to 4.1.4 it still remains.

    I don't think this is because my host,because i tested it.So what is the solution for this problem ? How can i get rid of this ?

  • #2
    Look in your Plugin Manager here:

    AdminCP > Plugins & Products > Plugin Manager

    If there's a plugin called 'vBulletin', check it and it may have reference to subscriptions.php in it. If it does, delete it as it's not a default plugin.
    Vote for:

    - *Admin Settable Paid Subscription Reminder Timeframe*
    -
    *PM - Add ability to reply to originator only*
    - Add Admin ability to auto-subscribe users to specific channel(s)
    - Highlight the correct navigation tab when you are on a custom page
    - "Quick Route" Interface...
    - Allow to use custom icons for individual forums

    Comment


    • #3
      Thanks!

      No problem :=)

      Comment


      • #4
        Ok, I know this is an old thread, but I just got hit with exactly the same thing. I first noticed there was a problem a week ago when all of the sudden, members started getting re-directed to some "link bucks" page when they would click on the "forums" button. Instead of going to the forum index page, they would get re-directed. At first it looked like someone simply replaced the "forum.php" file with a file that just did a re-direct. So, I replaced the bad file with my original (re-uploaded a good forum.php). I also found a file called w.php in my forum install directory which appeared to be malicious so I also removed that. That "seemed" to fix it and I thought all was right with the world. However, this morning the exact same thing was happening, so I contacted my server manager (I lease my own server but use Platinum Server Management) and asked then to see if they could tell what is/was going on. They installed and are running "ClamAV" but in the meantime I started searching around my logs and found a certain IP (actually 2 IPS - one from Iraq and one from Jordan) who were hitting /admincp/subscription.php. "That's odd, I thought. So I directed my browser to the /admincp/subscriptions.php file and to my surprise, I was taken to a shell that gave me (and them) access to pretty much everything on my website. The shell was called, as in the original post in this thread "!C99madShell" So, upon finding THIS thread, I also found the errant vbulliten plugin, which appeared to have this in the header:
        if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) This was followed by a bunch of gibberish characters. I deleted that plugin and now my Subscriptions seem to be in working order again.

        My question is HOW did they manage to install this plug in / shell and what can i )we) do to plug whatever hole there obviously is? Also, I'd appreciate any suggestions on what else I should do to see what damage has been done.

        Basil

        Comment


        • #5
          The recent exploits, I highly suggest you read my recent blog posts on the subject, and it should help you clean up and secure your site.

          Comment


          • #6
            Basil, is the install folder still resident at your forum root? If yes, remove it. All of it....


            Comment


            • #7
              Originally posted by DemOnstar View Post
              Basil, is the install folder still resident at your forum root? If yes, remove it. All of it....
              That was the first thing I checked - no it wasn't. Zachery - I have looked at the Blog posts you sggested and will certianly try to take the actions you suggest, but in the meantime, do you (or anyone) have any idea how such an exploit might have been done?


              Comment


              • #8
                Originally posted by Zachery View Post
                The recent exploits, I highly suggest you read my recent blog posts on the subject, and it should help you clean up and secure your site.
                I am reading and will attept the steps you suggest. One question. You say:

                "Whether you’ve just finished installing vBulletin, or if you’ve been running it for forever, you should be restricting access to any potentially sensitive areas. This includes general access to the AdminCP and ModCP folders, as well as your install directory."

                What is the best met hind to "restrict access?" I need to access my CP from several IP address, so not sure restricting by IP is a solution. What would the methods to implement restricted access to certain folders?

                Comment


                • #9
                  Originally posted by BasilFawlty View Post

                  What is the best met hind to "restrict access?" I need to access my CP from several IP address, so not sure restricting by IP is a solution. What would the methods to implement restricted access to certain folders?
                  In cPanel on the server, there is the option to password protect folders. Not sure really if this is the correct method but I put a password on the 2 folders you mentioned...


                  Comment


                  • #10
                    Stick a password on folders you want to restrict access to. Restricting by IP is safer, though can be more cumbersome if yours changes a lot (or you've got a fair number of people who legitimately have access).

                    You can allow several IPs to access a particular section if you'd like, but I'm not 100% sure how safe that solution might be (the only area on my site that I restrict by IP is phpMyAdmin, and I only have 1 IP in the allow list, my own. If it changes, I just update the .htaccess file).

                    Comment


                    • #11
                      Originally posted by Trevor Hannant View Post
                      Look in your Plugin Manager here:

                      AdminCP > Plugins & Products > Plugin Manager

                      If there's a plugin called 'vBulletin', check it and it may have reference to subscriptions.php in it. If it does, delete it as it's not a default plugin.
                      Thanks Trevor, it worked at my place.
                      StylWolny.pl - Polskie Forum Dyskusyjne | guziki wieszaki producent - Bonetti.pl
                      Join Tattoo Group Now

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X