c99shell
in [General]
|
Prev: What am I missing?
Next: c99shell
From: Edward Vermillion on 1 May 2006 11:25 Correct me if I'm wrong on this, but from what I've seen (last hour or so looking through google for c99+php+shell+captain+crunch), it looks like the vulnerability comes from including uploaded files somehow? Or at least allowing files to be uploaded and then accessed with a .php extension (or whatever Apache *thinks* should go to php). This looks like a php script to me. I'm confused on how it all works as a vulnerability. (nothing new) Ed On May 1, 2006, at 7:34 AM, Wolf wrote: > I got smacked by it as well. File-upload area that they uploaded a > .php.rar file and then accessed the sucker (must have reconfigured > their > browser for handling?). > > At any rate, my file-upload area now is a file-upload and you can't > access it anymore area. It lists it, but... you can't play with it. > > Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY > > For anyone who wants a copy of c99 (or 2 other variants), let me know > and I will email them to you. I have spent hours working with some of > the more obscure and stronger security settings but was still able to > use them, which is my file-upload area is now rigged the way that > it is. > > Wolf > > scot wrote: >> Hi there, >> Not sure if this is proper place to post but here it goes. We got >> nailed by >> someone using c99shell today. They were able to upload and >> overwrite a bunch > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
From: "scot" on 1 May 2006 11:57 Well, here's what happened here now that I have more details. We had a client with a php calendar installed. The attacker was able to upload c99.txt somehow and basically rename it to tasks.php within this calendar. c99 is amazing with what it can do, I'm no security expert but it blows me away. I could basically delete entire drives with this thing if I wanted. I'm still working out how it is able to do all this but... thanks everyone for the php setting suggestions. I'll tweak it some and try to lock it down more. Not sure if that would of stopped this or not. Scot "Edward Vermillion" <evermillion(a)doggydoo.net> wrote in message news:AADC7A97-379A-4F07-9C6B-850599D722CA(a)doggydoo.net... > Correct me if I'm wrong on this, but from what I've seen (last hour or so > looking through google for c99+php+shell+captain+crunch), it looks like > the vulnerability comes from including uploaded files somehow? Or at > least allowing files to be uploaded and then accessed with a .php > extension (or whatever Apache *thinks* should go to php). > > > This looks like a php script to me. I'm confused on how it all works as a > vulnerability. (nothing new) > > Ed > > On May 1, 2006, at 7:34 AM, Wolf wrote: > >> I got smacked by it as well. File-upload area that they uploaded a >> .php.rar file and then accessed the sucker (must have reconfigured their >> browser for handling?). >> >> At any rate, my file-upload area now is a file-upload and you can't >> access it anymore area. It lists it, but... you can't play with it. >> >> Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY >> >> For anyone who wants a copy of c99 (or 2 other variants), let me know >> and I will email them to you. I have spent hours working with some of >> the more obscure and stronger security settings but was still able to >> use them, which is my file-upload area is now rigged the way that it is. >> >> Wolf >> >> scot wrote: >>> Hi there, >>> Not sure if this is proper place to post but here it goes. We got >>> nailed by >>> someone using c99shell today. They were able to upload and overwrite a >>> bunch >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >>
From: Wolf on 1 May 2006 15:17
What I found with my working with trying to lock it down was that I could not do it entirely at the last point of trying. I could only succeed in doing most of it by swapping my apache code. I made my php.ini as secure as possible based off my searches for the system files it was accessing. Have put safe-mode on, disabled access to files from PHP and still it worked to some degree. NOT PRETTY. Wolf scot wrote: > Well, here's what happened here now that I have more details. We had a > client with a php calendar installed. The attacker was able to upload > c99.txt somehow and basically rename it to tasks.php within this calendar. > c99 is amazing with what it can do, I'm no security expert but it blows me > away. I could basically delete entire drives with this thing if I wanted. > I'm still working out how it is able to do all this but... > > thanks everyone for the php setting suggestions. I'll tweak it some and try > to lock it down more. Not sure if that would of stopped this or not. > > Scot > > "Edward Vermillion" <evermillion(a)doggydoo.net> wrote in message > news:AADC7A97-379A-4F07-9C6B-850599D722CA(a)doggydoo.net... >> Correct me if I'm wrong on this, but from what I've seen (last hour or so >> looking through google for c99+php+shell+captain+crunch), it looks like >> the vulnerability comes from including uploaded files somehow? Or at >> least allowing files to be uploaded and then accessed with a .php >> extension (or whatever Apache *thinks* should go to php). >> >> >> This looks like a php script to me. I'm confused on how it all works as a >> vulnerability. (nothing new) >> >> Ed >> >> On May 1, 2006, at 7:34 AM, Wolf wrote: >> >>> I got smacked by it as well. File-upload area that they uploaded a >>> .php.rar file and then accessed the sucker (must have reconfigured their >>> browser for handling?). >>> >>> At any rate, my file-upload area now is a file-upload and you can't >>> access it anymore area. It lists it, but... you can't play with it. >>> >>> Might I remind everyone... BACKUP YOUR IMPORTANT STUFF NIGHTLY >>> >>> For anyone who wants a copy of c99 (or 2 other variants), let me know >>> and I will email them to you. I have spent hours working with some of >>> the more obscure and stronger security settings but was still able to >>> use them, which is my file-upload area is now rigged the way that it is. >>> >>> Wolf >>> >>> scot wrote: >>>> Hi there, >>>> Not sure if this is proper place to post but here it goes. We got >>>> nailed by >>>> someone using c99shell today. They were able to upload and overwrite a >>>> bunch >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> > |