Author Topic: MulCiShell  (Read 4026 times)

0 Members and 1 Guest are viewing this topic.

November 02, 2009, 06:37:22 pm
Read 4026 times

Cyclone

  • Newbie

  • Offline
  • *

  • 3
My website was once infected with MulCiShell.

I thought it would be a good idea to save the source, as it would be useful for removing the virus.

I analyzed it with a bunch of friends, we figured it out mostly.

How to know your site is infected:

-Files you do not recognize are on the server (specifically mshell.php)
-In your logs, odd file downloads will have occurred
-Some images may not load properly

What this shell does:

-Duplicates: It creates copies of itself in every writable directory
-Infects: Attaches malicious javascript to your pages
-Shell Access: Gives the hacker shell access
-Passwords: Brute forces FTP and MySQL passes
-File Manager: It allows the hacker to access all your files
-Complete Backup: The hacker can download all files in one click

How the hacker can get this onto your site:

-SQL injection
-FTP access

How you can remove this shell:

-If the mshell.php files are still on the server, view it in browser (it won't exploit your browser, thatd be pointless for the hacker then) and click kill shell. This should remove all instances of mshell.php. This is only if the hacker left that though!
-Search for base64_decode in all your files, this should remove some infections
-Search your databases for anything abnormal
-If none of these work and your site is still infected, it may be best to simply start over with a blank, uninfected site

Be sure to change your passes regularly!!!

How you can prevent the shell from getting on your site:

-Fix SQL Injection loopholes
-Uninstall modifications you don't need
-CHMOD your directories to prevent writing by PHP, if a script requires a 0777 directory, check it regularly for odd files

Things the shell script exploits when on your site:

-/include/
-/includes/
-/inc/
-/mybb/
-/phpbb/
-/phpbb3/
-/forum/
-/forums/
-/board/
-/boards/
-/bb/
-/discuss/

WHAT TO DO THE SECOND YOU FIND OUT YOUR SITE IS INFECTED
-It may be a good idea to take your site offline. Mess up your .htaccess file a bit and cause a 500 error if needed.
-Scan your files. I don't know if ClamAV can detect this shell, but its a good idea to try anyway
-Uninstall forum modifications you DON'T NEED
-Remove mshell.php ASAP, anyone who visits the URL can access your files, and passes, and everything else.

I hope my analysis of the MulCiShell will help you remove it and keep it from getting on your system! If you want the source, ask and I will post it. The shell itself has nothing about the actual injection and uploading, so its not going to be a threat.

NOTE: Even if you run this on your localhost, itll infect when run, so be careful!