Comments on: Wordpress 2.0.5 Site got hacked using c99shell ?

By: emily

emily — Thu, 04 Mar 2010 07:41:22 +0000

I enjoy browsing this page, always find out random new stuff. Emily R. from Husky Tips

By: Michelle Wong

Michelle Wong — Sun, 10 Feb 2008 05:48:05 +0000

Thanks for the great information. I just suscribed to your blog feed.Michelle, HostGator Coupons

By: mahmoud

mahmoud — Fri, 04 May 2007 16:11:33 +0000

eldooky2003@yahoo.com

By: gamal

gamal — Thu, 05 Apr 2007 19:11:46 +0000

ukgjhhkhjj

By: amin

amin — Fri, 02 Mar 2007 15:55:27 +0000

help me

By: Christos

Christos — Thu, 08 Feb 2007 00:55:15 +0000

It has nothing to do with blog software.
I had forgoten in my path the Appserv folder wich was indexed by the search engines and they used the “README-th.php” file to gain access.
What I found disturbing is that the injection was done by Yahoo Slurp. I don’t know how they managed to make Yahoo do the job for them but they did.

The script-kiddies are capable of much more than what they’ve been doing Unfortunately.
The last one who gained access to my self-hosted server, erased the whole disk.
I guess I was lucky in unluckyness and pulled the plug while he was doing it so along with some other files the Apache log was saved
and I was able to track the events down and
found that it was I guy from Turkey.
I have enough evidence from the log file and also from a forum where he posted his evil doing but I don’t know what can I do against him (legally I mean).
I did not only lost my sites I also lost about 70GB of data and software.

By: Reaper-X

Reaper-X — Fri, 17 Nov 2006 12:02:38 +0000

I see … thanks a lot for that information, i really appreciate it .. but if it caused by xmlrpc then the problem is in the blog software itself :?

By: justinf

justinf — Fri, 17 Nov 2006 11:34:12 +0000

my blog use Nucleus and even that was hacked with c99 – so its nothing to do with wordpress itself. and my box is Fedora 5 with all the latest security patches.

from my logs , it seems to be a hack based on the xmlrpc component of a blog.

By: possum.kicks-ass.org » Blog Archive » I’ve Been Exploited

possum.kicks-ass.org » Blog Archive » I’ve Been Exploited — Mon, 13 Nov 2006 03:46:31 +0000

[...] A couple days ago I noticed I had an unusual amount of traffic to my site from a number of IP addresses beginning with 222. I checked my logs and found out they had installed a backdoor into my Dreamhost user account, which was the web application called C99Shell. Obviously this is a serious vulnerability (just Google it) and I have worked to eliminate it from my site. Unfortunately, I noticed they had come back — with bash access. How they got it is beyond me, but I’ve taken some steps to prevent them from returning (changing my password, etc.) . I put this out here because the script-kiddies are capable of much more than what they’ve been doing (spamming) whether they know it or not. I’ve ensured that they have _not_ installed any viruses on any of my site, but take care while browsing not to use Internet Explorer, just in case anything _does_ happen. [...]