What I found with my working with trying to lock it down was that I could not do it entirely at the last point of trying. I could only succeed in doing most of it by swapping my apache code. I made my php.ini as secure as possible based off my searches for the system files it was accessing. Have put safe-mode on, disabled access to files from PHP and still it worked to some degree. NOT PRETTY. Wolf scot wrote: > Well, here's what happened here now that I have more details. We had a > client with a php calendar installed. The attacker was able to upload > c99.txt somehow and basically rename it to tasks.php within this calendar. > c99 is amazing with what it can do, I'm no security expert but it blows me > away. I could basically delete entire drives with this thing if I wanted. > I'm still working out how it is able to do all this but... > > thanks everyone for the php setting suggestions. I'll tweak it some and try > to lock it down more. Not sure if that would of stopped this or not. > > Scot > > "Edward Vermillion" <evermillion@xxxxxxxxxxxx> wrote in message > news:AADC7A97-379A-4F07-9C6B-850599D722CA@xxxxxxxxxxxxxxx >> Correct me if I'm wrong on this, but from what I've seen (last hour or so >> looking through google for c99+php+shell+captain+crunch), it looks like >> the vulnerability comes from including uploaded files somehow? Or at >> least allowing files to be uploaded and then accessed with a .php >> extension (or whatever Apache *thinks* should go to php). >> >> >> This looks like a php script to me. I'm confused on how it all works as a >> vulnerability. (nothing new) >> >> Ed >> >> On May 1, 2006, at 7:34 AM, Wolf wrote: >> >>> I got smacked by it as well. File-upload area that they uploaded a >>> .php.rar file and then accessed the sucker (must have reconfigured their >>> browser for handling?). >>> >>> At any rate, my file-upload area now is a file-upload and you can't >>> access it anymore area. It lists it, but... you can't play with it. >>> >>> Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY >>> >>> For anyone who wants a copy of c99 (or 2 other variants), let me know >>> and I will email them to you. I have spent hours working with some of >>> the more obscure and stronger security settings but was still able to >>> use them, which is my file-upload area is now rigged the way that it is. >>> >>> Wolf >>> >>> scot wrote: >>>> Hi there, >>>> Not sure if this is proper place to post but here it goes. We got >>>> nailed by >>>> someone using c99shell today. They were able to upload and overwrite a >>>> bunch >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
