r57Shell - GoFuckYourself.com

MrGusMuller · 12-31-2010, 05:27 AM

Hi u all!

I'm having this issue at programs url.
When I try to access to a promo tool, the link leads me to an URL that gives me access to admin page 'r57Shell'.
This is a little weird!
I get this URL from their NATs program. Anyone trying to access that tool will also see it and my try to cause some troubles i guess...

I havent received any email confirming my subscription to their nats system.
I have sent a support ticket warning them.

Best regards

HomerSimpson · 12-31-2010, 06:05 AM

webair.com....
why am I not supprised...

directfiesta · 12-31-2010, 06:30 AM

That shell script gives root acess to your server :

http://www.nullamatix.com/find-r57-a...and-txt-files/

Do a rootkit scan and address this urgently

u-Bob · 12-31-2010, 06:38 AM

I guess someone needs to reinstall his server....

MrGusMuller · 01-01-2011, 01:48 AM

I have sent a support mail ...
i will try to talk with the owner here...

MMarko · 01-01-2011, 03:27 AM

Quote:

Originally Posted by directfiesta

That shell script gives root acess to your server :

http://www.nullamatix.com/find-r57-a...and-txt-files/

Do a rootkit scan and address this urgently

Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.

ladida · 01-01-2011, 04:19 AM

Quote:

Originally Posted by MMarko

Well this isn't true actually... script is basically interface for different linux commands and utilities, and once uploaded you need to exploit something else so you can escalate your priviledges and ran shell script as root... so script alone doesn't mean server was rooted only that you have vulnerable script which allows unauthroized uploads or remote php including.

Truth, except for the vulnerability.

v0id · 01-01-2011, 05:56 AM

looks like that NATS install is on a virtual plan?

MasterM · 01-01-2011, 06:26 AM

check your installed scripts for exploits and updates asap.
but probably there are more scripts like that on your server or their server

if its a dedicated and you are the owner.
turn on safe mode... or turn it on temp. before the get deeper

MrGusMuller · 01-01-2011, 02:36 PM

Its not mine.
I'm just an affiliated.
I'm sent an email to the programs support, added the owner to ICQ and I have sent a message to him here in GFY...
cant get in contact with him.

How does NATs handels with password? I guess that is saved on a database and not encoded by md5 or something :S

u-Bob · 01-01-2011, 02:40 PM

The attacker was able to install that r57shell script. That does tell you one thing: the server has been compromised. It doesn't tell you how they got in, what they did or what level of access they eventually acquired.

Once you've determined that the server has been compromised, there is one thing you absolutely need to do: wipe and reinstall the server.

While going through your logs, scanning for rootkits, auditing your scripts etc is recommended to find out more information about how they got in. Information you can use to prevent future compromises, but it does not change the fact that the server needs to be reinstalled.

A system that has been compromised is a system that can no longer be trusted.

MrGusMuller · 01-01-2011, 02:55 PM

The server is not mine.
I'm just a lousy webmaster that registered on the server's owner NATs program, and that the RSS links send me to the r57shell script...

i'm afraid that my password may have been stolen..

MasterM · 01-01-2011, 03:46 PM

once you got a c99 or r57 shell on the box , you can get all data , logs , databases etc. everything on that box

cooldude7 · 01-01-2011, 04:25 PM

u r screwed

MrGusMuller · 01-01-2011, 04:27 PM

I'm going to warn that webair guy that uses GFY!...

MrGusMuller · 01-01-2011, 04:28 PM

Quote:

Originally Posted by cooldude7

u r screwed

me and all the other program's affiliates.

webair · 01-01-2011, 04:48 PM

Quote:

Originally Posted by HomerSimpson

webair.com....
why am I not supprised...

dick =)

------------------------

Looks like they got in via a vulnerable script.
Thanks for the report MrGusMuller and for contacting me. I got my guys on it now.

MrGusMuller · 01-01-2011, 05:19 PM

I have warned the webair, and few minutes later the problem was corrected.

Now, to anyone who might me interested, the affiliated program was HYPEDOUGH.COM.
I was able to read the wp-config.php and see the username/password for the database.

MasterM · 01-01-2011, 06:00 PM

it probably was wordpress which was exploited, last version had vulnerabilities

V_RocKs · 01-01-2011, 06:04 PM

Usually it is a forum or a support form coded in 1998.

directfiesta · 01-01-2011, 09:53 PM

Quote:

Originally Posted by V_RocKs

Usually it is a forum or a support form coded in 1998.

or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

As U-Bob stated, once a box is compromised , it is better to reinstall OS.
Accounts could always be moved to another box, but must be clean of the shell script.

MrGusMuller · 01-02-2011, 04:45 AM

Quote:

Originally Posted by directfiesta

or a pirated " nulled " script or addon in which the exploit was integrated and became active at the install .

As U-Bob stated, once a box is compromised , it is better to reinstall OS.
Accounts could always be moved to another box, but must be clean of the shell script.

The wp-config.php that I have read had STRANGE embebed code!
I'v warned webair guys 'cause no one from HYPE has said anything to me.
Are they on vacations?

Quote:

hypedough
Registered User
Last Activity: Today 09:09 AM

cooldude7 · 01-02-2011, 08:46 AM

Quote:

Originally Posted by MasterM

it probably was wordpress which was exploited, last version had vulnerabilities

damn gotta update all wordpress blogs.

12-31-2010, 05:27 AM	#1
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	r57Shell Hi u all! I'm having this issue at programs url. When I try to access to a promo tool, the link leads me to an URL that gives me access to admin page 'r57Shell'. This is a little weird! I get this URL from their NATs program. Anyone trying to access that tool will also see it and my try to cause some troubles i guess... I havent received any email confirming my subscription to their nats system. I have sent a support ticket warning them. Best regards __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343113 Last edited by MrGusMuller; 12-31-2010 at 05:30 AM..*

12-31-2010, 06:05 AM	#2
HomerSimpson Too lazy to set a custom title Industry Role: Join Date: Sep 2005 Location: Springfield Posts: 13,826	webair.com.... why am I not supprised... __________________ Make a bank with Chaturbate - the best selling webcam program Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!! PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 \| Email:

12-31-2010, 06:30 AM	#3
directfiesta Too lazy to set a custom title Industry Role: Join Date: Oct 2002 Location: Montreal, Quebec Posts: 29,764	That shell script gives root acess to your server : http://www.nullamatix.com/find-r57-a...and-txt-files/ Do a rootkit scan and address this urgently __________________ I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time ....

01-01-2011, 01:48 AM	#5
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	I have sent a support mail ... i will try to talk with the owner here... __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

01-01-2011, 06:26 AM	#9
MasterM Confirmed User Join Date: Oct 2002 Location: netherlands Posts: 248	check your installed scripts for exploits and updates asap. but probably there are more scripts like that on your server or their server if its a dedicated and you are the owner. turn on safe mode... or turn it on temp. before the get deeper Last edited by MasterM; 01-01-2011 at 06:40 AM.. Reason: added some

12-31-2010, 06:38 AM	#4
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	I guess someone needs to reinstall his server....

01-01-2011, 05:56 AM	#8
v0id Confirmed User Industry Role: Join Date: Sep 2006 Posts: 43	looks like that NATS install is on a virtual plan?

01-01-2011, 02:36 PM	#10
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	Its not mine. I'm just an affiliated. I'm sent an email to the programs support, added the owner to ICQ and I have sent a message to him here in GFY... cant get in contact with him. How does NATs handels with password? I guess that is saved on a database and not encoded by md5 or something :S __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343113 Last edited by MrGusMuller; 01-01-2011 at 02:37 PM..*

01-01-2011, 02:40 PM	#11
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	The attacker was able to install that r57shell script. That does tell you one thing: the server has been compromised. It doesn't tell you how they got in, what they did or what level of access they eventually acquired. Once you've determined that the server has been compromised, there is one thing you absolutely need to do: wipe and reinstall the server. While going through your logs, scanning for rootkits, auditing your scripts etc is recommended to find out more information about how they got in. Information you can use to prevent future compromises, but it does not change the fact that the server needs to be reinstalled. A system that has been compromised is a system that can no longer be trusted.

01-01-2011, 02:55 PM	#12
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	The server is not mine. I'm just a lousy webmaster that registered on the server's owner NATs program, and that the RSS links send me to the r57shell script... i'm afraid that my password may have been stolen.. __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343113 Last edited by MrGusMuller; 01-01-2011 at 02:58 PM..*

01-01-2011, 03:46 PM	#13
MasterM Confirmed User Join Date: Oct 2002 Location: netherlands Posts: 248	once you got a c99 or r57 shell on the box , you can get all data , logs , databases etc. everything on that box

01-01-2011, 04:25 PM	#14
cooldude7 Confirmed User Industry Role: Join Date: Nov 2009 Location: Heaven Posts: 4,306	u r screwed

01-01-2011, 04:27 PM	#15
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	I'm going to warn that webair guy that uses GFY!... __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

01-01-2011, 05:19 PM	#18
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	I have warned the webair, and few minutes later the problem was corrected. Now, to anyone who might me interested, the affiliated program was HYPEDOUGH.COM. I was able to read the wp-config.php and see the username/password for the database. __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

01-01-2011, 06:00 PM	#19
MasterM Confirmed User Join Date: Oct 2002 Location: netherlands Posts: 248	it probably was wordpress which was exploited, last version had vulnerabilities

01-01-2011, 06:04 PM	#20
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,422	Usually it is a forum or a support form coded in 1998.