Comments on: A hacker came by with c99madshell v. 2.0 madnet edition

By: Denny

Denny — Mon, 17 Nov 2008 02:26:39 +0000

I also found a gzipped version of C99madShell v. 2.0 madnet edition on one of my servers. It appears the only purpose served was to drop tons of spam links in the footer of one of my Wordpress installations.

Does anyone have any more information on this? How to prevent it, repair it, log it, remove it… ???

By: jd

jd — Sun, 19 Oct 2008 16:49:31 +0000

I just found c99madshell on one of my sites on a shared server. In addition I found installed.php files a couple other domains on the same server. I’ve removed the files but need to determine how this happened.

What else should I be looking for? Please help!

By: admin

admin — Thu, 06 Mar 2008 12:00:00 +0000

hi “me too”

Thanks for the link, I am gonna try to decode the code and have a look.

I have no thought either how they got access to my host either, but I suspect a Wordpress conundrum that has not been fixed yet.

By: me too

me too — Wed, 27 Feb 2008 15:55:44 +0000

I have. I found an pointer.php in a folder that didn’t have one before. The contents were wrapped up like described at http://danilo.ariadoss.com/2006/01/04/decoding-eval-gzinflate-base64_decode/

With decoding it I found a reference to c99madshell inside and have found a couple references on the web to c99 shell.

The person that place it here seemed to be with my Wordpress installation even though I can’t say for sure yet how they got the shell on my host in the first place.