Re: c99shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



What flavor of server are you running on (Windows/*nix)?

Does this do a root kit too? It seems that at least the system files would be protected from tampering if php is running as an unprivileged user(?maybe??). Although, on *nix at least, I could see that they would be able to at least read /etc.

If you don't mind could you give a list of what you had to change in apache? Maybe off list if you'd rather. Just curious as to what all this is actually doing. I know from the bits of code I found from google cached cracked sites that it's a hell of a long script and it looks to be checking everything it can.

Ed

On May 1, 2006, at 2:17 PM, Wolf wrote:

What I found with my working with trying to lock it down was that I
could not do it entirely at the last point of trying.  I could only
succeed in doing most of it by swapping my apache code.  I made my
php.ini as secure as possible based off my searches for the system files it was accessing. Have put safe-mode on, disabled access to files from
PHP and still it worked to some degree.  NOT PRETTY.

Wolf

scot wrote:
Well, here's what happened here now that I have more details. We had a
client with a php calendar installed. The attacker was able to upload
c99.txt somehow and basically rename it to tasks.php within this calendar. c99 is amazing with what it can do, I'm no security expert but it blows me away. I could basically delete entire drives with this thing if I wanted.
I'm still working out how it is able to do all this but...

thanks everyone for the php setting suggestions. I'll tweak it some and try
to lock it down more. Not sure if that would of stopped this or not.

Scot

"Edward Vermillion" <evermillion@xxxxxxxxxxxx> wrote in message
news:AADC7A97-379A-4F07-9C6B-850599D722CA@xxxxxxxxxxxxxxx
Correct me if I'm wrong on this, but from what I've seen (last hour or so looking through google for c99+php+shell+captain+crunch), it looks like the vulnerability comes from including uploaded files somehow? Or at
least allowing files to be uploaded and then accessed  with a .php
extension (or whatever Apache *thinks* should go to php).


This looks like a php script to me. I'm confused on how it all works as a
vulnerability. (nothing new)

Ed

On May 1, 2006, at 7:34 AM, Wolf wrote:

I got smacked by it as well.  File-upload area that they uploaded a
.php.rar file and then accessed the sucker (must have reconfigured their
browser for handling?).

At any rate, my file-upload area now is a file-upload and you can't
access it anymore area. It lists it, but... you can't play with it.

Might I remind everyone...  BACKUP YOUR IMPORTANT STUFF NIGHTLY

For anyone who wants a copy of c99 (or 2 other variants), let me know and I will email them to you. I have spent hours working with some of the more obscure and stronger security settings but was still able to use them, which is my file-upload area is now rigged the way that it is.

Wolf

scot wrote:
Hi there,
 Not sure if this is proper place to post but here it goes. We got
nailed by
someone using c99shell today. They were able to upload and overwrite a
bunch
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux