c99shell
in [General]
|
Prev: What am I missing?
Next: c99shell
From: "scot" on 30 Apr 2006 14:13 Hi there, Not sure if this is proper place to post but here it goes. We got nailed by someone using c99shell today. They were able to upload and overwrite a bunch of index files. I am working on discovering how they were able to get it on our server. Here's some basic info. I am by no means a php expert. Should things be different? Is there a good paper out there somewhere in regards to windows / iis5 / php security? php 4.4.1 Safe Mode: OFF Open basedir: none Display Errors: ON Short Open Tags: ON File Uploads: ON Magic Quotes: ON Register Globals: ON Output Buffering: OFF Session save path: e:\PHP\sessiondata Session auto start: 0 XML enabled: Yes Zlib enabled: Yes Disabled Functions: none Here is also a snip of log (altered IP's and URL) of what I think is the hack of the site. (I could be wrong) 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 105 172 HTTP/1.0 www.blah.com Wget/1.9.1 - - 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 122 297 HTTP/1.1 www.blah.com libwww-perl/5.805 - - Thanks, Scot
From: Stut on 30 Apr 2006 16:48 scot wrote: > Hi there, > Not sure if this is proper place to post but here it goes. We got nailed by > someone using c99shell today. They were able to upload and overwrite a bunch > of index files. I am working on discovering how they were able to get it on > our server. Here's some basic info. I am by no means a php expert. Should > things be different? Is there a good paper out there somewhere in regards to > windows / iis5 / php security? <snip> Chances are the problem is one of the scripts written in PHP rather than PHP itself. A good site to check out is http://phpsec.org/ - it has lots of info and links to more info about PHP security. > Here is also a snip of log (altered IP's and URL) of what I think is the > hack of the site. (I could be wrong) > > 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 105 172 > HTTP/1.0 www.blah.com Wget/1.9.1 - - > 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 122 297 > HTTP/1.1 www.blah.com libwww-perl/5.805 - - Neither of these look particularly suspicious. Key things to look into is who has access to your server, who writes the scripts, and whether there are any scripts that write files to the server based on content uploaded from users. Hope that helps. -Stut
From: "Dave Goodchild" on 30 Apr 2006 16:50 Hey. That is not a good php.ini configuration. 1. display_errors should be disabled in production as it may output path info to the browser. 2. register_globals should be disabled (default in php5) as it allows scripts to be polluted with tainted data. 3. I would also disabled short_open_tags - not a security issue but more for portability as you cannot guarantee this setting will be enabled on another server. On 30/04/06, scot <scotoc(a)hotmail.com> wrote: > > Hi there, > Not sure if this is proper place to post but here it goes. We got nailed > by > someone using c99shell today. They were able to upload and overwrite a > bunch > of index files. I am working on discovering how they were able to get it > on > our server. Here's some basic info. I am by no means a php expert. Should > things be different? Is there a good paper out there somewhere in regards > to > windows / iis5 / php security? > > php 4.4.1 > Safe Mode: OFF > Open basedir: none > Display Errors: ON > Short Open Tags: ON > File Uploads: ON > Magic Quotes: ON > Register Globals: ON > Output Buffering: OFF > Session save path: e:\PHP\sessiondata > Session auto start: 0 > XML enabled: Yes > Zlib enabled: Yes > Disabled Functions: none > > Here is also a snip of log (altered IP's and URL) of what I think is the > hack of the site. (I could be wrong) > > 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 105 > 172 > HTTP/1.0 www.blah.com Wget/1.9.1 - - > 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 122 > 297 > HTTP/1.1 www.blah.com libwww-perl/5.805 - - > > Thanks, > Scot > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- http://www.web-buddha.co.uk dynamic web programming from Reigate, Surrey UK (php, mysql, xhtml, css) look out for project karma, our new venture, coming soon!
From: "Richard Lynch" on 30 Apr 2006 21:45 On Sun, April 30, 2006 12:31 am, scot wrote: > Hi there, > Not sure if this is proper place to post but here it goes. We got > nailed by > someone using c99shell today. They were able to upload and overwrite a > bunch > of index files. I am working on discovering how they were able to get > it on > our server. Here's some basic info. I am by no means a php expert. > Should > things be different? Is there a good paper out there somewhere in > regards to > windows / iis5 / php security? I know nothing about c99shell, but I can tell you... > php 4.4.1 > Safe Mode: OFF > Open basedir: none This should be a directory starting with C:\ and ending in a directory where PHP can have a "workspace" to read/write files, and that directory (and sub-dirs) should be exclusively reserveed for PHP data. > Display Errors: ON This is bad on a production server. It exposes too much of your internal workings to Bad Guys. > Short Open Tags: ON Turn them off, not for security, but for compatibility with other servers where they will be off. > File Uploads: ON Do you USE file uploads?... Turn them off, if not. > Magic Quotes: ON This should be off so you can sanitize your input data, and then use http://php.net/mysql_real_escape_string > Register Globals: ON OFF OFF OFF!!! Unless you can guarantee your PHP code is 100% perfect with every variable always initialized, including any PHP software you download/install, then this MUST be turned OFF! > Output Buffering: OFF > Session save path: e:\PHP\sessiondata This may need to be within open_basedir... > Session auto start: 0 > XML enabled: Yes > Zlib enabled: Yes > Disabled Functions: none > > Here is also a snip of log (altered IP's and URL) of what I think is > the > hack of the site. (I could be wrong) > > 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 > 105 172 > HTTP/1.0 www.blah.com Wget/1.9.1 - - > 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 > 122 297 > HTTP/1.1 www.blah.com libwww-perl/5.805 - - Errrr. It's unlikely in the extreme that 2 GETs messed you up... And somebody wrote a perl script to do something, but you haven't told us what on that last line... -- Like Music? http://l-i-e.com/artists.htm
From: Wolf on 1 May 2006 08:34
I got smacked by it as well. File-upload area that they uploaded a ..php.rar file and then accessed the sucker (must have reconfigured their browser for handling?). At any rate, my file-upload area now is a file-upload and you can't access it anymore area. It lists it, but... you can't play with it. Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY For anyone who wants a copy of c99 (or 2 other variants), let me know and I will email them to you. I have spent hours working with some of the more obscure and stronger security settings but was still able to use them, which is my file-upload area is now rigged the way that it is. Wolf scot wrote: > Hi there, > Not sure if this is proper place to post but here it goes. We got nailed by > someone using c99shell today. They were able to upload and overwrite a bunch |