What flavor of server are you running on (Windows/*nix)?
Does this do a root kit too? It seems that at least the system files
would be protected from tampering if php is running as an
unprivileged user(?maybe??). Although, on *nix at least, I could see
that they would be able to at least read /etc.
If you don't mind could you give a list of what you had to change in
apache? Maybe off list if you'd rather. Just curious as to what all
this is actually doing. I know from the bits of code I found from
google cached cracked sites that it's a hell of a long script and it
looks to be checking everything it can.
Ed
On May 1, 2006, at 2:17 PM, Wolf wrote:
What I found with my working with trying to lock it down was that I
could not do it entirely at the last point of trying. I could only
succeed in doing most of it by swapping my apache code. I made my
php.ini as secure as possible based off my searches for the system
files
it was accessing. Have put safe-mode on, disabled access to files
from
PHP and still it worked to some degree. NOT PRETTY.
Wolf
scot wrote:
Well, here's what happened here now that I have more details. We
had a
client with a php calendar installed. The attacker was able to upload
c99.txt somehow and basically rename it to tasks.php within this
calendar.
c99 is amazing with what it can do, I'm no security expert but it
blows me
away. I could basically delete entire drives with this thing if I
wanted.
I'm still working out how it is able to do all this but...
thanks everyone for the php setting suggestions. I'll tweak it
some and try
to lock it down more. Not sure if that would of stopped this or not.
Scot
"Edward Vermillion" <evermillion@xxxxxxxxxxxx> wrote in message
news:AADC7A97-379A-4F07-9C6B-850599D722CA@xxxxxxxxxxxxxxx
Correct me if I'm wrong on this, but from what I've seen (last
hour or so
looking through google for c99+php+shell+captain+crunch), it
looks like
the vulnerability comes from including uploaded files somehow?
Or at
least allowing files to be uploaded and then accessed with a .php
extension (or whatever Apache *thinks* should go to php).
This looks like a php script to me. I'm confused on how it all
works as a
vulnerability. (nothing new)
Ed
On May 1, 2006, at 7:34 AM, Wolf wrote:
I got smacked by it as well. File-upload area that they uploaded a
.php.rar file and then accessed the sucker (must have
reconfigured their
browser for handling?).
At any rate, my file-upload area now is a file-upload and you can't
access it anymore area. It lists it, but... you can't play
with it.
Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY
For anyone who wants a copy of c99 (or 2 other variants), let me
know
and I will email them to you. I have spent hours working with
some of
the more obscure and stronger security settings but was still
able to
use them, which is my file-upload area is now rigged the way
that it is.
Wolf
scot wrote:
Hi there,
Not sure if this is proper place to post but here it goes. We got
nailed by
someone using c99shell today. They were able to upload and
overwrite a
bunch
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php