*Update: Okay, I reckon I located the potential entry to the WP-Forum, which I have read having some wellbeing issues coming up lately. It has now been removed from this site. * 
Alright, not really what I wanted to happen on a Monday evening.
I came home, and just before I started to make dinner, I went to check my mail, in here was a mail from an advertiser that an ad was not showing, and naturally I went to the site to check.
Lo and behold, my site was hacked, and the hacker installed the c99madshell v. 2.0 on my domain.
Searching for information I found only vague information, and never really found out how the ‚Ǩ#”%”‚Ǩ# hacker came in.
I started by updating my Wordpress installation to the latest version, and then went hunting. I found the script in my themes folder, where it replaced one the .php files.
The only information I found that gave any clue to where to look was here: http://www.devside.net/blog/smf-exploit-like-phpbb-hack
I included below screenshot, which is from the same blog-entry (credit where credit is due) since I focused on removing the hack instead of documenting it. I hope the owner does not take offence.
Removing it was honestly simple once I knew where to look, but I had to have a honest look around to see where it was hidden.
So, what did I learn from this? To backup, backup often, and to always update my Wordpress installations.
Have you had a visit?
- c99madshell v. 2.0 madnet edition
- c99madshell
- !c99madshell v. 2.0 madnet edition!
- c99madshell v. 2.0 madnet edition!
- c99 mad shell
- c99madshell v 2.0 madnet edition
- c99 madshell
- intext:"!c99madshell v. 2.0 madnet edition!"
- c99madshell
- madnet edition
{ 4 comments }
I have. I found an pointer.php in a folder that didn’t have one before. The contents were wrapped up like described at http://danilo.ariadoss.com/2006/01/04/decoding-eval-gzinflate-base64_decode/
With decoding it I found a reference to c99madshell inside and have found a couple references on the web to c99 shell.
The person that place it here seemed to be with my Wordpress installation even though I can’t say for sure yet how they got the shell on my host in the first place.
hi “me too”
Thanks for the link, I am gonna try to decode the code and have a look.
I have no thought either how they got access to my host either, but I suspect a Wordpress conundrum that has not been fixed yet.
I just found c99madshell on one of my sites on a shared server. In addition I found installed.php files a couple other domains on the same server. I’ve removed the files but need to determine how this happened.
What else should I be looking for? Please help!
I also found a gzipped version of C99madShell v. 2.0 madnet edition on one of my servers. It appears the only purpose served was to drop tons of spam links in the footer of one of my Wordpress installations.
Does anyone have any more information on this? How to prevent it, repair it, log it, remove it… ???
Comments on this entry are closed.