Topsites hacked with c99shell

[Toopac]

Some turkish hackers were targeting my Aardvark topsites & managed to install c99shell on to the account that hosts the topsites script so i want to know what steps i should take to make sure the hacker has left no backdoor to get back in again & want to know what information he could have got.

The account he hacked has a main site, topsites, poll, guestbook & forum but is also on the same server with some of my other sites.

What i did was check files dates for recently changed or upload files on the account that was hacked(there was none)

I deleted the topsites script & upgraded to the latest version.

What other steps would i need to take or should take to make things safe?

[leet]

Probably your permissions are set 777. Make them non-writable. And also, set safe mode on.

[hans]

about a year ago i had repeatedly same problem of hacker intrusion - now all solved.

if you give URL and a list of scripts you use online as well as OS - then may be I can help more precisely. however be warned that securing your site requires understanding your site with all scripts - I have spent some 300 hrs total to do just that - then I secured and solved all the problems ... successfully so far until these days.

In my case it was a faulty script of a commercial forum software - a bug that was known to the coders but unresolved by them until now - hence almost all those forums get/got hacked until now to upload files for phishing sites.

If I look at the frequent hacker attempts on my site and look at what kind of software they search for - that gives a pretty complete picture of the potential scripts they use to enter a site - I safely assume that hackers only search for scripts known to them to have a security hole to penetrate a site.

[torrentexplosion.com]

had a problem like that myself before...absolutely annoying

[netdeals]

I will recommend a fresh install of your hosting account as the hacker could have written malicious code in some other script also. So he can regain access to your website if he wants to.. Usually this code accepts remote file's. So you may need to check those too. Incase you dont want to remove all the script you may need to have a security audit for your website. You may like to check this.

http://forums.digitalpoint.com/showthread.php?t=278457

[tavshan]

Quote:

Originally Posted by leet

Probably your permissions are set 777. Make them non-writable. And also, set safe mode on.

leet is right always use safe mode on

[activebiz]

c99shell. how lovely. I remember back in the day (last summer) when i used c99shell to access peoples sites and information and also get web space that wasn't mine LOL.

[Zinho]

Hi,
The problem can be either because they got a way to upload files on your webserver (.php files with execute priv) or a bad include (remote file inclusion vulnerability).
I would recommend that you do a check with aports to monitor also executables files opening port for shell other than malicious scripts being hijacked (check the forms' action field or anomalous javascript).

[edhan]

Quote:

Originally Posted by leet

Probably your permissions are set 777. Make them non-writable. And also, set safe mode on.

Some software scripts require permission 777 to run. If that is the case, how do we protect it?

[p2y]

If you trust your script then you dont have to set perms 777.But be sure you set safe mode on.

[edhan]

Quote:

Originally Posted by p2y

If you trust your script then you dont have to set perms 777.But be sure you set safe mode on.

Sorry. I think you got it wrong. What I am saying that the script requires to run with perms 777. Without 777, it will give error. For this situation, what can we do to protect that folder from being exploited?

[p2y]

sorry i wrote it wrong . I was trying to say

If you trust your script then you dont have to set perms not 777.But be sure you set safe mode on.

[zaphodb777]

Quote:

Originally Posted by edhan

Sorry. I think you got it wrong. What I am saying that the script requires to run with perms 777. Without 777, it will give error. For this situation, what can we do to protect that folder from being exploited?

Good scripts will include the files from the 777 directory to the publicly readable one, and the 777 directory will have direct access blocked by a deny all .htaccess .

PHP is good for reaching over the wall of an .htaccess for storing, or reading data.

Zap

P.S. My GPL/Freeware script ZB Block MAY help avoid injection of c99shell into your website. Get it at www DOT spambotsecurity DOT com SLASH zbblock DOT php

[StevieHotstuff]

aswell as using .htaccess

make sure your admin directory is protected with .htpasswd

also make sure you scan your files with clamav or other av