Hello everyoe, i was dealing with a defacement of a website and while analyzing the system i've noticed that, after exploitation of a joomla bug, file called "shell_i_coder.zip was uploaded to the server.
the problem is that the file has been deleted and the space reallocated, so i couldn't extract the fill off the filesystem.
by conducting a quick search on google the only thing i could find was a google cache copy of a page
http//
has anyone more informations about this thing?
a script for bruteforcing ftp passwords was also uploaded to the server.
has anyone more informations about this thing?
No, but with a little of fantasy wink the file is found for downloadhxxp//
jaclaz
thanks jaclaz.
the problem is that the file appears to be empty.
btw it looks like a php shell, but with the code in my hands i could run further examinations.
it looks like the php shell is made to work as a joomla extansion, so that it can be uploaded from the admin control panel.
this is what i can tell by taking a look at the logs and timeline of the filesystem on the compromised machine.
thanks jaclaz.
the problem is that the file appears to be empty.
Well, it's not empty, it's simply 22 bytes long.
Being named shell_i_code, it seems probable that it is a shell code wink
http//
http//
And if it is, 22 bytes look like the "right" kind of size.
Since it starts with "PK", and has 18 00's, it is possible that it is a "fake" .zip header template of some kind. ?
You can always mail the author 😯 hxxp//
jaclaz
i don't think they are going to answer me )
but maybe i'll give it a shot.
btw i didn't take in consideration the idea of a shellcode couse the only header is present, and it doesn't seem to contain any sort of executable code.
maybe it's just a way to start a payload.
btw, the machine was already compromised, according to timestamps, when the file was spawned on the filesystem.
so i don't see the point of running a second exploitation process when they already have access to the joomla admin panel, and from the re they could to almost anything by spawning a php shell as an arbitrary module.
and this agrees with the fact that the zip file you linked me is stored in the temp directory of a joomla site.
this must have something to do with the post exploitation process… somehow
Greetings,
Perhaps there was more than one person attempting to compromise the site? Perhaps the timestamps were off?
-David