Re: c99shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well, here's what happened here now that I have more details. We had a 
client with a php calendar installed. The attacker was able to upload 
c99.txt somehow and basically rename it to tasks.php within this calendar. 
c99 is amazing with what it can do, I'm no security expert but it blows me 
away. I could basically delete entire drives with this thing if I wanted. 
I'm still working out how it is able to do all this but...

thanks everyone for the php setting suggestions. I'll tweak it some and try 
to lock it down more. Not sure if that would of stopped this or not.

Scot

"Edward Vermillion" <evermillion@xxxxxxxxxxxx> wrote in message 
news:AADC7A97-379A-4F07-9C6B-850599D722CA@xxxxxxxxxxxxxxx
> Correct me if I'm wrong on this, but from what I've seen (last hour  or so 
> looking through google for c99+php+shell+captain+crunch), it  looks like 
> the vulnerability comes from including uploaded files  somehow? Or at 
> least allowing files to be uploaded and then accessed  with a .php 
> extension (or whatever Apache *thinks* should go to php).
>
>
> This looks like a php script to me. I'm confused on how it all works  as a 
> vulnerability. (nothing new)
>
> Ed
>
> On May 1, 2006, at 7:34 AM, Wolf wrote:
>
>> I got smacked by it as well.  File-upload area that they uploaded a
>> .php.rar file and then accessed the sucker (must have reconfigured  their
>> browser for handling?).
>>
>> At any rate, my file-upload area now is a file-upload and you can't
>> access it anymore area.  It lists it, but...  you can't play with it.
>>
>> Might I remind everyone...  BACKUP YOUR IMPORTANT STUFF NIGHTLY
>>
>> For anyone who wants a copy of c99 (or 2 other variants), let me know
>> and I will email them to you.  I have spent hours working with some of
>> the more obscure and stronger security settings but was still able to
>> use them, which is my file-upload area is now rigged the way that  it is.
>>
>> Wolf
>>
>> scot wrote:
>>> Hi there,
>>>  Not sure if this is proper place to post but here it goes. We got 
>>> nailed by
>>> someone using c99shell today. They were able to upload and  overwrite a 
>>> bunch
>>
>> -- 
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux