MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Found several shells in my website's FTP.
Full Version: Found several shells in my website's FTP.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Frank.Barry

2012-05-09, 10:44 PM
/home/uzi/public_html/inc/3rdparty/diff/Diff/Engine/shell.php
<< That is part of the mybb package.

Alternate

2012-05-09, 10:45 PM
(2012-05-09, 10:41 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:39 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:32 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:25 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:22 PM)danesxd Wrote: [ -> ]HI i member you

Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?
you old one and cause i was looking for some plugins to mess around with but i saw this and thought i should check it out and i rememberd who you was.

Sorry.. but at the moment I can't clarify you to be trustworthy, considering it's a coincidence that you manage to find this thread on the same day my forum is at risk of being exploited. I can barely trust anyone at the moment.

Solidus

2012-05-09, 10:46 PM
(2012-05-09, 10:34 PM)pavemen Wrote: [ -> ]
(2012-05-09, 10:21 PM)Solidus Wrote: [ -> ]Let's be smart here.
"/home/uzi/public_html/uploads/awards/shell.php.jpg"
"/home/uzi/public_html/uploads/ficons/shell.php.jpg"

Almost certainly those plugins are to blame. Although it is possible that is was something else, and those directories were chosen because they can be written to.

the plugins are likely NOT to blame, but that is where the hacker or malicious script decided to install the shell code.

You're right, just noticed these are Labrocca's plugins, so it's not likely at all.

pavemen

2012-05-09, 11:15 PM
once you get it all cleaned up and are comfortable with the current file set try installing my Advanced File Verification plugin to set a new baseline and then you can monitor from there

User 2877

2012-05-09, 11:17 PM
These got installed there only because they were writable folders. This was likely an exploit from your host or other script....RFI imho.

Are you on shared host? And do you run other scripts?

Solidus

2012-05-09, 11:18 PM
He is using Hostgator shared. OP have me cpanel access, all of /inc folder is gone and continues to be removed when re-uploaded. I've told him to contact Hostgator support who can access the folder via ssh, maybe there's something hidden in there.

Alternate

2012-05-09, 11:22 PM
(2012-05-09, 11:18 PM)Solidus Wrote: [ -> ]He is using Hostgator shared. OP have me cpanel access, all of /inc folder is gone and continues to be removed when re-uploaded. I've told him to contact Hostgator support who can access the folder via ssh, maybe there's something hidden in there.

Hi there Labrocca. Solidus basically provided you with a thorough reply to your question.

Also, I would like to add, I was on HostGator Live Chat and the guy said that he checked and there wasn't any hidden files.

I'm just not too sure why I see these files being added through checking the access log, but they don't appear in "inc".

Nothing is uploading to "inc" either, which I find strange. Thanks for all the assistance guys, I'm going offline but I'll be back online tomorrow afternoon to sort this out.

danesxd

2012-05-10, 04:16 AM
(2012-05-09, 10:45 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:41 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:39 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:32 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:25 PM)Alternate Wrote: [ -> ]Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?
you old one and cause i was looking for some plugins to mess around with but i saw this and thought i should check it out and i rememberd who you was.

Sorry.. but at the moment I can't clarify you to be trustworthy, considering it's a coincidence that you manage to find this thread on the same day my forum is at risk of being exploited. I can barely trust anyone at the moment.

understood i am not looking forgivenes just simply letting you know i don't mean harm to you.

and i dont have anything to do with this new issue just saying.

Alternate

2012-05-10, 09:37 PM
Never mind. I have now had this issue resolved. Someone had edited my File Attributes on my FTP account so me (Owner) couldn't 'Read' files inside "/inc" but the 'Public' group could Read, Write and Execute commands. I had a brief discussion my hosting providers Live Support Chat and he regained my permissions for my account and I was able to view everything as normal.

I appreciate all the help that everyone's provided me with over the past 48 hours. Thank you!
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Found several shells in my website's FTP.