I Got Shell in Admincp !!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • scw
    New Member
    • Mar 2011
    • 7
    • 4.1.x

    [Forum] I Got Shell in Admincp !!

    I use vb 4.1.4 and I have been surviving with a shell for 2 months.The shell destination is domain/admincp/subscriptions.php.It is named as ''!C99madShell v. 2.0 madnet edition!'' but my site has no damage for now,i just saw it when in admincp.My site's version was 4.1.2 when i first saw this,but although i upgrade to 4.1.4 it still remains.

    I don't think this is because my host,because i tested it.So what is the solution for this problem ? How can i get rid of this ?
  • Trevor Hannant
    vBulletin Support
    • Aug 2002
    • 24325
    • 5.7.X

    #2
    Look in your Plugin Manager here:

    AdminCP > Plugins & Products > Plugin Manager

    If there's a plugin called 'vBulletin', check it and it may have reference to subscriptions.php in it. If it does, delete it as it's not a default plugin.
    Vote for:

    - Admin Settable Paid Subscription Reminder Timeframe (vB6)
    - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

    Comment

    • scw
      New Member
      • Mar 2011
      • 7
      • 4.1.x

      #3
      Thanks!

      No problem :=)

      Comment

      • BasilFawlty
        Senior Member
        • Jul 2012
        • 255
        • 4.2.X

        #4
        Ok, I know this is an old thread, but I just got hit with exactly the same thing. I first noticed there was a problem a week ago when all of the sudden, members started getting re-directed to some "link bucks" page when they would click on the "forums" button. Instead of going to the forum index page, they would get re-directed. At first it looked like someone simply replaced the "forum.php" file with a file that just did a re-direct. So, I replaced the bad file with my original (re-uploaded a good forum.php). I also found a file called w.php in my forum install directory which appeared to be malicious so I also removed that. That "seemed" to fix it and I thought all was right with the world. However, this morning the exact same thing was happening, so I contacted my server manager (I lease my own server but use Platinum Server Management) and asked then to see if they could tell what is/was going on. They installed and are running "ClamAV" but in the meantime I started searching around my logs and found a certain IP (actually 2 IPS - one from Iraq and one from Jordan) who were hitting /admincp/subscription.php. "That's odd, I thought. So I directed my browser to the /admincp/subscriptions.php file and to my surprise, I was taken to a shell that gave me (and them) access to pretty much everything on my website. The shell was called, as in the original post in this thread "!C99madShell" So, upon finding THIS thread, I also found the errant vbulliten plugin, which appeared to have this in the header:
        if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) This was followed by a bunch of gibberish characters. I deleted that plugin and now my Subscriptions seem to be in working order again.

        My question is HOW did they manage to install this plug in / shell and what can i )we) do to plug whatever hole there obviously is? Also, I'd appreciate any suggestions on what else I should do to see what damage has been done.

        Basil

        Comment

        • Zachery
          Former vBulletin Support
          • Jul 2002
          • 59097

          #5
          The recent exploits, I highly suggest you read my recent blog posts on the subject, and it should help you clean up and secure your site.

          Comment

          • DemOnstar
            Senior Member
            • Nov 2012
            • 1912

            #6
            Basil, is the install folder still resident at your forum root? If yes, remove it. All of it....


            Comment

            • BasilFawlty
              Senior Member
              • Jul 2012
              • 255
              • 4.2.X

              #7
              Originally posted by DemOnstar
              Basil, is the install folder still resident at your forum root? If yes, remove it. All of it....
              That was the first thing I checked - no it wasn't. Zachery - I have looked at the Blog posts you sggested and will certianly try to take the actions you suggest, but in the meantime, do you (or anyone) have any idea how such an exploit might have been done?


              Comment

              • BasilFawlty
                Senior Member
                • Jul 2012
                • 255
                • 4.2.X

                #8
                Originally posted by Zachery
                The recent exploits, I highly suggest you read my recent blog posts on the subject, and it should help you clean up and secure your site.
                I am reading and will attept the steps you suggest. One question. You say:

                "Whether you’ve just finished installing vBulletin, or if you’ve been running it for forever, you should be restricting access to any potentially sensitive areas. This includes general access to the AdminCP and ModCP folders, as well as your install directory."

                What is the best met hind to "restrict access?" I need to access my CP from several IP address, so not sure restricting by IP is a solution. What would the methods to implement restricted access to certain folders?

                Comment

                • DemOnstar
                  Senior Member
                  • Nov 2012
                  • 1912

                  #9
                  Originally posted by BasilFawlty

                  What is the best met hind to "restrict access?" I need to access my CP from several IP address, so not sure restricting by IP is a solution. What would the methods to implement restricted access to certain folders?
                  In cPanel on the server, there is the option to password protect folders. Not sure really if this is the correct method but I put a password on the 2 folders you mentioned...


                  Comment

                  • Thunderbird
                    Senior Member
                    • Jan 2010
                    • 128
                    • 4.2.X

                    #10
                    Stick a password on folders you want to restrict access to. Restricting by IP is safer, though can be more cumbersome if yours changes a lot (or you've got a fair number of people who legitimately have access).

                    You can allow several IPs to access a particular section if you'd like, but I'm not 100% sure how safe that solution might be (the only area on my site that I restrict by IP is phpMyAdmin, and I only have 1 IP in the allow list, my own. If it changes, I just update the .htaccess file).

                    Comment

                    • sensimilla
                      Senior Member
                      • Sep 2004
                      • 264
                      • 3.8.x

                      #11
                      Originally posted by Trevor Hannant
                      Look in your Plugin Manager here:

                      AdminCP > Plugins & Products > Plugin Manager

                      If there's a plugin called 'vBulletin', check it and it may have reference to subscriptions.php in it. If it does, delete it as it's not a default plugin.
                      Thanks Trevor, it worked at my place.
                      StylWolny.pl - Polskie Forum Dyskusyjne | guziki wieszaki producent - Bonetti.pl
                      Join Tattoo Group Now

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...