Well, here's what happened here now that I have more details. We had a client with a php calendar installed. The attacker was able to upload c99.txt somehow and basically rename it to tasks.php within this calendar. c99 is amazing with what it can do, I'm no security expert but it blows me away. I could basically delete entire drives with this thing if I wanted. I'm still working out how it is able to do all this but... thanks everyone for the php setting suggestions. I'll tweak it some and try to lock it down more. Not sure if that would of stopped this or not. Scot "Edward Vermillion" <evermillion@xxxxxxxxxxxx> wrote in message news:AADC7A97-379A-4F07-9C6B-850599D722CA@xxxxxxxxxxxxxxx > Correct me if I'm wrong on this, but from what I've seen (last hour or so > looking through google for c99+php+shell+captain+crunch), it looks like > the vulnerability comes from including uploaded files somehow? Or at > least allowing files to be uploaded and then accessed with a .php > extension (or whatever Apache *thinks* should go to php). > > > This looks like a php script to me. I'm confused on how it all works as a > vulnerability. (nothing new) > > Ed > > On May 1, 2006, at 7:34 AM, Wolf wrote: > >> I got smacked by it as well. File-upload area that they uploaded a >> .php.rar file and then accessed the sucker (must have reconfigured their >> browser for handling?). >> >> At any rate, my file-upload area now is a file-upload and you can't >> access it anymore area. It lists it, but... you can't play with it. >> >> Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY >> >> For anyone who wants a copy of c99 (or 2 other variants), let me know >> and I will email them to you. I have spent hours working with some of >> the more obscure and stronger security settings but was still able to >> use them, which is my file-upload area is now rigged the way that it is. >> >> Wolf >> >> scot wrote: >>> Hi there, >>> Not sure if this is proper place to post but here it goes. We got >>> nailed by >>> someone using c99shell today. They were able to upload and overwrite a >>> bunch >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
