From: matt <ma...@tu...> - 2009-01-07 20:31:50
|
Good day, Here is a follow-up on the written by Jeff Tickle, our systems administrator. ------------------------------------------------------------------------- Long story short, upgrade to phpWebSite 1.6.1 from Sourceforge. The exploit code in Init.php does the following: 1. See if ./files/writetest exists 2. If not, send an email to dda...@gm... with your host name and the script path, and create /files/writetest 3. If the GET variable 'viewtables' is set, execute c99MadShell. c99MadShell is a php-based shell, more info here: http://www.derekfountain.org/security_c99madshell.php The attacker would have been restricted to the apache user. So, if you are using suPHP, the damage won't be as bad, although they could still upload files to a writable served path. The only way the attacker could get root privileges is if the apache user could be used to find out your root password somehow, like if your /etc/shadow file is world readable or some such. Things to check for: 1. The exploited code in core/class/Init.php around line 102 2. 'writetest' file under 'files' directory in each phpWebSite installation 3. 'dda...@gm...' destination address in your email logs 4. 'viewtables' GET variable in your web server access logs 1 and 2 mean you have the exploit, 3 means the author was notified, and 4 means someone tried to use it. I'll post more as I learn more... -Jeff -------------------------------------------------------------------------- -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |