Portal Home > Knowledgebase > Articles Database > Hack attempt? I'm pretty sure...
Hack attempt? I'm pretty sure...
| Posted by CynProWeb, 07-08-2007, 07:23 PM |
| A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
|
| Posted by Outlaw Web Master, 07-08-2007, 07:27 PM |
| r57shell is a PHP script that is the handiwork of a Russian hacking group. It is uploaded to a vulnerable Web site and gives the hacker the ability to download and upload files, create backdoor listeners, send e-mail, bounce a connection to another server, or administer a MySQL database, all through a simple Web interface.
OWM
|
| Posted by CynProWeb, 07-08-2007, 07:31 PM |
| Well then it looks as if this is one account thats going to go bye bye....
|
| Posted by Outlaw Web Master, 07-08-2007, 07:34 PM |
| definitely mate...
google r57shell and it's a firework on your server so i dare say the other one's it's brother.
just as well you checked it out
|
| Posted by Adam H, 07-08-2007, 07:49 PM |
| Lucky you caught that early
|
| Posted by jon-f, 07-08-2007, 08:16 PM |
| Ya Ive had people do that, I guess a defacement attempt or to send spam or something. I have even had people sign up with legit info and that be the first thing they upload, its beyond me why someoen would pay for hosting to upload a shell when there are 1000s of scripts running on the net you could exploit and shell.
I guess they must be the real noob hackers who have to buy hosting to shell a server. Thats why I try to verify the best I can and never do signups without their own domain name, like people who just ask for a subdomain off your domain, I just deny that., Usually spam or our noob shell uploaders
|
| Posted by CynProWeb, 07-08-2007, 10:16 PM |
| Well its funny you should say that SecureServerTech.... It was a legit sign up, verrified by phone.... Easiest $50.00 I've ever made.
|
| Posted by uberjon, 07-08-2007, 10:20 PM |
| your joking? who in their right mind would willingly give out that kinda info if you plan on hacking their server?
|
| Posted by UH-Matt, 07-08-2007, 11:07 PM |
| If they just opened it you dont know its legit even if you did phone them. Give a refund and shut the account, or wait for a chargeback. I assume you dont have the customers signature to fight a chargeback
|
| Posted by plumsauce, 07-09-2007, 02:32 AM |
| I agree, chargeback was the first thing that came to my mind.
BTW, are you particular the customer did the uploading?
|
| Posted by jon-f, 07-09-2007, 03:06 AM |
| Guess these supernoob hackers out there lol. Well 99% of such sign ups where the first thing they upload is a shell are fraud but Ive seen it legit before, I wouldnt be suprised if its the same guy. Ya it sounds pathetic, but they are so pathetic kiddy groups out there, I guess they get frustrated by not being able to exploit php-nuke sites they so cook up some plan to upload a shell and get root. If the admin dont catch it they finally give up after not finding a way to root it.
I had some group calling themselves thedefaced which uploaded a php shell to a clients site, then uploaded the same web shell to tmp and ran around telling everyone they rooted my server. Didnt do no good showing the comical logs and explaining the concept of users and groups to the kids as they have no idea what those are.
But hey, id rather deal with kids like that any day then pro spammers
Last edited by jon-f; 07-09-2007 at 03:12 AM.
|
| Posted by CynProWeb, 07-09-2007, 03:07 AM |
| As I'm sure most of you can imagine, this isnt the first time either myself or one of you has had to susspend / terminate an account. I have had charge backs occur in the pasy from paypal. Its a shame when it happens, but its a fact of the industry and the times we live in.
The files were uploaded from the same source as the account sign up, mere moments after activation. I have sent the person an email requesting details on the account and have yet to receive a reply. I plan on monitoring the situation for the next while with the account on suspension. Even though I cannot be 100% positive on the accuracy of the information provided by the client, should a charge back occur the funds will be returned to the appropriate person.
Should I not receive a reply by tomorrow evening the funds will be returned and the account terminated.
ITs just too bad people need to be destructive. If these types of people put as much effort into being successfull in a legit way, they could do some serious damage in the real world.
|
| Posted by jon-f, 07-09-2007, 03:14 AM |
| Man if someone uploaded a shell as soon as their account is active, terminate that sucker and refund the money, dont give it no more thought. I wouldnt leave it suspended, terminate
Just my 2 cents
|
Add to Favourites 
Print this Article
Also Read
