r57Shell

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • MrGusMuller
    Confirmed User
    • Oct 2010
    • 1262

    #1

    r57Shell

    Hi u all!

    I'm having this issue at programs url.
    When I try to access to a promo tool, the link leads me to an URL that gives me access to admin page 'r57Shell'.
    This is a little weird!
    I get this URL from their NATs program. Anyone trying to access that tool will also see it and my try to cause some troubles i guess...




    I havent received any email confirming my subscription to their nats system.
    I have sent a support ticket warning them.


    Best regards
    Last edited by MrGusMuller; 12-31-2010, 03:30 AM.
    StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
    ICQ: 63*23*43*113

  • HomerSimpson
    Too lazy to set a custom title
    • Sep 2005
    • 13826

    #2
    webair.com....
    why am I not supprised...
    Make a bank with Chaturbate - the best selling webcam program
    Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!

    PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:

    Comment

    • directfiesta
      Too lazy to set a custom title
      • Oct 2002
      • 30135

      #3
      That shell script gives root acess to your server :

      http://www.nullamatix.com/find-r57-a...and-txt-files/

      Do a rootkit scan and address this urgently
      I know that Asspimple is stoopid ... As he says, it is a FACT !

      But I can't figure out how he can breathe or type , at the same time ....

      Comment

      • u-Bob
        there's no $$$ in porn
        • Jul 2005
        • 33063

        #4
        I guess someone needs to reinstall his server....

        Comment

        • MrGusMuller
          Confirmed User
          • Oct 2010
          • 1262

          #5
          I have sent a support mail ...
          i will try to talk with the owner here...
          StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
          ICQ: 63*23*43*113

          Comment

          • MMarko
            Confirmed User
            • Jun 2007
            • 160

            #6
            Originally posted by directfiesta
            That shell script gives root acess to your server :

            http://www.nullamatix.com/find-r57-a...and-txt-files/

            Do a rootkit scan and address this urgently
            Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.
            dlXer - web design, developing, managed hosting, website optimizations

            Comment

            • ladida
              Confirmed User
              • Nov 2005
              • 2179

              #7
              Originally posted by MMarko
              Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.
              Truth, except for the vulnerability.
              agentGFY *at* gmail.com

              Comment

              • v0id
                Confirmed User
                • Sep 2006
                • 43

                #8
                looks like that NATS install is on a virtual plan?

                Comment

                • MasterM
                  Confirmed User
                  • Oct 2002
                  • 248

                  #9
                  check your installed scripts for exploits and updates asap.
                  but probably there are more scripts like that on your server or their server

                  if its a dedicated and you are the owner.
                  turn on safe mode... or turn it on temp. before the get deeper
                  Last edited by MasterM; 01-01-2011, 04:40 AM. Reason: added some

                  Comment

                  • MrGusMuller
                    Confirmed User
                    • Oct 2010
                    • 1262

                    #10
                    Its not mine.
                    I'm just an affiliated.
                    I'm sent an email to the programs support, added the owner to ICQ and I have sent a message to him here in GFY...
                    cant get in contact with him.

                    How does NATs handels with password? I guess that is saved on a database and not encoded by md5 or something :S
                    Last edited by MrGusMuller; 01-01-2011, 12:37 PM.
                    StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                    ICQ: 63*23*43*113

                    Comment

                    • u-Bob
                      there's no $$$ in porn
                      • Jul 2005
                      • 33063

                      #11
                      The attacker was able to install that r57shell script. That does tell you one thing: the server has been compromised. It doesn't tell you how they got in, what they did or what level of access they eventually acquired.

                      Once you've determined that the server has been compromised, there is one thing you absolutely need to do: wipe and reinstall the server.

                      While going through your logs, scanning for rootkits, auditing your scripts etc is recommended to find out more information about how they got in. Information you can use to prevent future compromises, but it does not change the fact that the server needs to be reinstalled.

                      A system that has been compromised is a system that can no longer be trusted.

                      Comment

                      • MrGusMuller
                        Confirmed User
                        • Oct 2010
                        • 1262

                        #12
                        The server is not mine.
                        I'm just a lousy webmaster that registered on the server's owner NATs program, and that the RSS links send me to the r57shell script...

                        i'm afraid that my password may have been stolen..
                        Last edited by MrGusMuller; 01-01-2011, 12:58 PM.
                        StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                        ICQ: 63*23*43*113

                        Comment

                        • MasterM
                          Confirmed User
                          • Oct 2002
                          • 248

                          #13
                          once you got a c99 or r57 shell on the box , you can get all data , logs , databases etc. everything on that box

                          Comment

                          • cooldude7
                            Confirmed User
                            • Nov 2009
                            • 4306

                            #14
                            u r screwed

                            Comment

                            • MrGusMuller
                              Confirmed User
                              • Oct 2010
                              • 1262

                              #15
                              I'm going to warn that webair guy that uses GFY!...
                              StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                              ICQ: 63*23*43*113

                              Comment

                              • MrGusMuller
                                Confirmed User
                                • Oct 2010
                                • 1262

                                #16
                                Originally posted by cooldude7
                                u r screwed
                                me and all the other program's affiliates.
                                StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                                ICQ: 63*23*43*113

                                Comment

                                • webair
                                  Confirmed User
                                  • Feb 2002
                                  • 8531

                                  #17
                                  Originally posted by HomerSimpson
                                  webair.com....
                                  why am I not supprised...
                                  dick =)
                                  ------------------------


                                  Looks like they got in via a vulnerable script.
                                  Thanks for the report MrGusMuller and for contacting me. I got my guys on it now.
                                  Last edited by webair; 01-01-2011, 02:51 PM.


                                  ~ Webair Dedicated Cloud Serversâ„¢ ~ WEBAIR VSYSâ„¢ Virtual Hosting Platform ~ Superior CDN Network ~
                                  ~ Managed Dedicated hosting Specialists ~ DISCOUNT DOMAIN NAMES! ~ WEBAIR FUSION IO MANAGED CLOUD SERVERS! ~


                                  ICQ: 243116321 - TWITTER - @WEBAIRINC - E-Mail: [email protected]

                                  Comment

                                  • MrGusMuller
                                    Confirmed User
                                    • Oct 2010
                                    • 1262

                                    #18
                                    I have warned the webair, and few minutes later the problem was corrected.



                                    Now, to anyone who might me interested, the affiliated program was HYPEDOUGH.COM.
                                    I was able to read the wp-config.php and see the username/password for the database.

                                    StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                                    ICQ: 63*23*43*113

                                    Comment

                                    • MasterM
                                      Confirmed User
                                      • Oct 2002
                                      • 248

                                      #19
                                      it probably was wordpress which was exploited, last version had vulnerabilities

                                      Comment

                                      • V_RocKs
                                        Damn Right I Kiss Ass!
                                        • Nov 2003
                                        • 32449

                                        #20
                                        Usually it is a forum or a support form coded in 1998.

                                        Comment

                                        • directfiesta
                                          Too lazy to set a custom title
                                          • Oct 2002
                                          • 30135

                                          #21
                                          Originally posted by V_RocKs
                                          Usually it is a forum or a support form coded in 1998.
                                          or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

                                          As U-Bob stated, once a box is compromised , it is better to reinstall OS.
                                          Accounts could always be moved to another box, but must be clean of the shell script.
                                          I know that Asspimple is stoopid ... As he says, it is a FACT !

                                          But I can't figure out how he can breathe or type , at the same time ....

                                          Comment

                                          • MrGusMuller
                                            Confirmed User
                                            • Oct 2010
                                            • 1262

                                            #22
                                            Originally posted by directfiesta
                                            or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

                                            As U-Bob stated, once a box is compromised , it is better to reinstall OS.
                                            Accounts could always be moved to another box, but must be clean of the shell script.

                                            The wp-config.php that I have read had STRANGE embebed code!
                                            I'v warned webair guys 'cause no one from HYPE has said anything to me.
                                            Are they on vacations?


                                            hypedough
                                            Registered User
                                            Last Activity: Today 09:09 AM
                                            StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
                                            ICQ: 63*23*43*113

                                            Comment

                                            • cooldude7
                                              Confirmed User
                                              • Nov 2009
                                              • 4306

                                              #23
                                              Originally posted by MasterM
                                              it probably was wordpress which was exploited, last version had vulnerabilities
                                              damn gotta update all wordpress blogs.

                                              Comment

                                              Working...