Re: c99shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, April 30, 2006 12:31 am, scot wrote:
> Hi there,
>  Not sure if this is proper place to post but here it goes. We got
> nailed by
> someone using c99shell today. They were able to upload and overwrite a
> bunch
> of index files. I am working on discovering how they were able to get
> it on
> our server. Here's some basic info. I am by no means a php expert.
> Should
> things be different? Is there a good paper out there somewhere in
> regards to
> windows / iis5 / php security?

I know nothing about c99shell, but I can tell you...

> php 4.4.1
> Safe Mode:  OFF
> Open basedir:  none

This should be a directory starting with C:\ and ending in a directory
where PHP can have a "workspace" to read/write files, and that
directory (and sub-dirs) should be exclusively reserveed for PHP data.

> Display Errors:  ON

This is bad on a production server.
It exposes too much of your internal workings to Bad Guys.

> Short Open Tags:  ON

Turn them off, not for security, but for compatibility with other
servers where they will be off.

> File Uploads:  ON

Do you USE file uploads?...

Turn them off, if not.

> Magic Quotes:  ON

This should be off so you can sanitize your input data, and then use
http://php.net/mysql_real_escape_string

> Register Globals:  ON

OFF OFF OFF!!!
Unless you can guarantee your PHP code is 100% perfect with every
variable always initialized, including any PHP software you
download/install, then this MUST be turned OFF!

> Output Buffering:  OFF
> Session save path:  e:\PHP\sessiondata

This may need to be within open_basedir...

> Session auto start:  0
> XML enabled:  Yes
> Zlib enabled:  Yes
> Disabled Functions:  none
>
> Here is also a snip of log (altered IP's and URL) of what I think is
> the
> hack of the site. (I could be wrong)
>
> 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958
> 105 172
> HTTP/1.0 www.blah.com Wget/1.9.1 - -
> 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953
> 122 297
> HTTP/1.1 www.blah.com libwww-perl/5.805 - -

Errrr.  It's unlikely in the extreme that 2 GETs messed you up...

And somebody wrote a perl script to do something, but you haven't told
us what on that last line...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux