| Friday December 19th 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

Today’s Script kiddies have awesome tools


c99madshell screenshotInteresting writeup from an Admin that found an exploit installed in a WordPress blog installation. I have found these before, but beware – a lot of experienced crackers will upload this kind of stuff into an install folder of Phpmyadmin or WordPress so that you become convinced the culprit of your attack was a flaw in the popular software when, in reality, your server has more serious issues.

Today I spent many hours grepping logs, checking the file system for new/changed files to figure out how an old WordPress instance was hacked and what had the hacker done there.

Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:

eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf…

Let’s see the functionality that it has to offer:

  • Full blown file manager
  • Quick menu for
    • Finding all suid files
    • Finding all sgid files
    • Finding all .htaccess files
    • Finding all writeable folders
  • Interface for the UNIX tool find
  • Input field for executing commands as webserver user
  • Tools for installing a backdoor
    • Perl/C flavored programs that are downloaded from a Singapore server
    • Compiled/Interpreted – depending what is available
  • Processes viewer
  • FTP brute force cracker using users from /etc/passwd
  • System info (CPU, Memory, installed binaries, passwd file, configuration files)
  • SQL dump utility
  • Interface for executing PHP code
  • Self removal
  • Adding a password for the script
  • Fancy design!

I’m just amazed. This is way too easy. So this is how it works:

  • Lets scan the internet for WordPress installations (automated)
  • Look for vulnerable versions (automated)
  • Exploit (in this case themes were filled with hidden links – semi automated)
  • PROFIT! (automated)

Ohh and here’s the code for c99madshell. It is untested by us and may have it’s own exploits. Use at your own risk.

Read the full article…

Related Posts: On this day...

Reader Feedback

One Response to “Today’s Script kiddies have awesome tools”

  1. Paul says:

    it’s the small things in life.

Leave a Reply

You must be logged in to post a comment.