Notifications
Clear all

shell_i_coder.zip

6 Posts
3 Users
0 Likes
193 Views
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Hello everyoe, i was dealing with a defacement of a website and while analyzing the system i've noticed that, after exploitation of a joomla bug, file called "shell_i_coder.zip was uploaded to the server.

the problem is that the file has been deleted and the space reallocated, so i couldn't extract the fill off the filesystem.

by conducting a quick search on google the only thing i could find was a google cache copy of a page

http//webcache.googleusercontent.com/search?q=cachemIG_YP40pL4Jwww.sunbloggerswp.nl/joomla/index.php%3Fact%3Df%26f%3DShell_i_coder.zip%26ft%3Dinfo%26d%3DC%253A%255CInetpub%255Cvhosts%255Csunbloggerswp.nl%255Chttpdocs%255Cjoomla%255Ctmp%255C+shell_i_coder&cd=1&hl=it&ct=clnk&gl=it&client=firefox-a

has anyone more informations about this thing?
a script for bruteforcing ftp passwords was also uploaded to the server.

 
Posted : 04/07/2010 4:20 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

has anyone more informations about this thing?

No, but with a little of fantasy wink the file is found for download
hxxp//www.sunbloggerswp.nl/joomla/tmp/Shell_i_coder.zip
jaclaz

 
Posted : 04/07/2010 10:43 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

thanks jaclaz.

the problem is that the file appears to be empty.

btw it looks like a php shell, but with the code in my hands i could run further examinations.

it looks like the php shell is made to work as a joomla extansion, so that it can be uploaded from the admin control panel.

this is what i can tell by taking a look at the logs and timeline of the filesystem on the compromised machine.

 
Posted : 05/07/2010 2:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

thanks jaclaz.

the problem is that the file appears to be empty.

Well, it's not empty, it's simply 22 bytes long.

Being named shell_i_code, it seems probable that it is a shell code wink
http//en.wikipedia.org/wiki/Shellcode
http//web.archive.org/web/20080615190434/shellcode.org/

And if it is, 22 bytes look like the "right" kind of size.

Since it starts with "PK", and has 18 00's, it is possible that it is a "fake" .zip header template of some kind. ?

You can always mail the author 😯
hxxp//defaced.zone-h.net/defaced/2009/11/20/skserkamdarat.edu.my/index.asp
jaclaz

 
Posted : 05/07/2010 4:30 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

i don't think they are going to answer me )

but maybe i'll give it a shot.

btw i didn't take in consideration the idea of a shellcode couse the only header is present, and it doesn't seem to contain any sort of executable code.

maybe it's just a way to start a payload.

btw, the machine was already compromised, according to timestamps, when the file was spawned on the filesystem.
so i don't see the point of running a second exploitation process when they already have access to the joomla admin panel, and from the re they could to almost anything by spawning a php shell as an arbitrary module.

and this agrees with the fact that the zip file you linked me is stored in the temp directory of a joomla site.

this must have something to do with the post exploitation process… somehow

 
Posted : 05/07/2010 5:11 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

Perhaps there was more than one person attempting to compromise the site? Perhaps the timestamps were off?

-David

 
Posted : 05/07/2010 6:20 pm
Share: