Joomla C99Shell when article url is request

Question

Hi i just detect a weird behaviour on my server when an specific URL

/index.php?view=article&catid=29&id=24&format=pdf

it render C99Shell seems like a transversal attack but i can't figure out where the hell this get included... it only happened with that URL

Can you help me?

Edit

nothing already double checked on the db and the administrator the URL that i first detected was

/index.php?view=article&catid=29%3Athe-cms&id=26%3Aextensions&format=pdf&option= com_content&Itemid=37/?option=com_rokdownloads&controller=../../../../../../../. ./../../../../..//proc/self/environ%0000 HTTP Response 200" thene i realize that with the article and the category was more than enough to display that any suggestion? 

Answer 1

That it is a c99shell installed in your joomla site and probably is encoded. It will be hard to detect if it is encoded. You can detect where the file is installed by changing some settings in php.ini. I did this to detect:

1. change the php.ini setting to disable_functions and I disable ini_get. Those shells rely in this function to find out which are your php settings.

2. copy that url of your logs and put it in your browser. Then go to your logs in apache to find out which file is complaining that ini_get is disable it.

3. Go to that file(s) and open it and you will see that you have a file that is encoded, deleted and try again.

Other people use the command find to detect these shells. In my case that is what it worked. I advice that you should hardened your apache, php.ini and install mod security. Those will help a lot.

Answer 2

Enter Joomla Administrator
Check the article html source with ID 24 at category 29.

Answer 3

You probably were victim of RFI attack, try http://kanchan2kewl.blogspot.com/2009/11/c99shell-hacking-protection.html to detect were is the malicious code