Suspended during wordpress installation

[vulcan]

While I was installing wordpress 3.0 via fantastico the system suspended me stating that I used shell script
please un suspend the account
many thanks in advance

[Livewire]

Wasn't from wordpress, was from scipt.php which contains the C99 webshell. This is a zero tolerance permanent suspension.

For clarification: You happened to be installing wordpress when it suspended you. That doesn't always mean the cause was actually -in- wordpress, especially if it was still in the process of scanning other files.

[vulcan]

so what I am supposed to do?
may I have access in order to remove the script?!

[stpvoice]

Hello,

Your account is permanently suspended for having a shell script. You can have no further access to it.

[vulcan]

I personally didn't install that script!!
and never seen it before, I guess you can check the logs.
what about my data there are few old data files I would like to retrieve if the suspension decision is final.
many thanks for help

[stpvoice]

If the suspension is final then you won't be able to have any more access to your files.
So, you're denying you know anything about this?

[vulcan]

My friend, I've been with x10 for long time to break the rules
I never did install the shell script. and neither needed to!!! I use this account for testing my php scripts and for wordpress.
I really don't mind suspending the account but yet the data files are to old to lose like this.
Many thanks in advance.

[stpvoice]

Okay, I'll ask Livewire to come back and re-review this. I don't have server access to be able to do so myself.

[vulcan]

thank you both in advance

[Livewire]

File in question has some serious security issues given the subfolder amltd which -also- contains a shell script.

Here's the short and bad, so to speak. It's permanent given how long the files have been on there. At the time they were uploaded, they had been scanned and did not match any current filters in the system.

At the time.


Scipt.php had been accessed today: Access: 2011-04-29 09:23:36.000000000 -0400, and it was due for rescan, and there was now a filter for the c99 series of webshells. It suspended for it. Here's the bad part - that file's modify date. Modify: 2007-12-26 01:31:35.000000000 -0500 - approximately 25-30 days after the accounts original creation. No one used it for 3-4 years which is why it went undetected until now.

Worse, the script I located in the amltd folder, specifically amltd/images/mshell.php. This one was -also- accessed today, and last modified back on september 26th 2009. Same problem - scanned and found to be clean at the time, but then accessed later and re-scanned and found to be a major problem.

The amltd folder appears to have contained a php file uploader of some form, which is quite possibly how these malicious scripts got onto the account. Sadly, there's nothing that can be done - you're responsible for the contents of the account, and these have been here for quite some time before someone tried to run them.