From: Reini U. <ru...@x-...> - 2007-04-12 13:00:22
|
Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a php3 or php4 file, install a backdoor at port 8081 and have access to your whole disc and overtake the server. See http://ccteam.ru/releases/c99shell The uploaded file has a php, php3 or php4 extension and looks like a gif to the mime magic. So apache usually accepts it. To fix this issue at first move the lib/plugin/UpLoad.php file out of this directory. You can fix it by adding those two lines to your list of disallowed extensions: php3 php4 Currently only php is disallowed. -- Reini Urban http://phpwiki.org/ http://murbreak.at/ http://spacemovie.mur.at/ http://helsinki.at/ |
From: Sabri L. <sab...@st...> - 2007-04-12 13:12:20
|
Reini Urban wrote: >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a >php3 or php4 file, >install a backdoor at port 8081 and have access to your whole >disc and overtake the server. > >See http://ccteam.ru/releases/c99shell I think that the URL is wrong. >The uploaded file has a php, php3 or php4 extension and looks >like a gif to the mime magic. >So apache usually accepts it. > >To fix this issue at first move the lib/plugin/UpLoad.php file >out of this directory. > >You can fix it by adding those two lines to your list of >disallowed extensions: > >php3 >php4 > >Currently only php is disallowed. Regards, -- Sabri. |
From: Reini U. <ru...@x-...> - 2007-04-12 13:18:37
|
2007/4/12, Sabri LABBENE <sab...@st...>: > Reini Urban wrote: > >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a > >php3 or php4 file, > >install a backdoor at port 8081 and have access to your whole > >disc and overtake the server. > > > >See http://ccteam.ru/releases/c99shell > > I think that the URL is wrong. This url obviously worked in 2006. Now it is gone. I submitted a critical security alert to CERT and it will be in the cve reports of mitre.org also then (hopefully). -- Reini Urban http://phpwiki.org/ http://murbreak.at/ http://spacemovie.mur.at/ http://helsinki.at/ |
From: Harold H. <ha...@ha...> - 2007-04-12 16:37:57
|
> 2007/4/12, Sabri LABBENE <sab...@st...>: >> Reini Urban wrote: >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a >> >php3 or php4 file, >> >install a backdoor at port 8081 and have access to your whole >> >disc and overtake the server. >> > >> >See http://ccteam.ru/releases/c99shell >> >> I think that the URL is wrong. > > This url obviously worked in 2006. Now it is gone. > > I submitted a critical security alert to CERT and it will be in the > cve reports of mitre.org > also then (hopefully). > -- > Reini Urban > http://phpwiki.org/ http://murbreak.at/ > http://spacemovie.mur.at/ http://helsinki.at/ > As the one who was attacked, I can give you the IP addresses of the attackers. Second, instead of disallowed extensions, I think it would be much safet to have a list of ALLOWED extensions. I see this as a todo in the upload plugin. I have set my upload directory as read only and require users to now email me stuff to post. As to how much was visible to the hackers (and I have the code for their script), it SEEMS that it would only be what user apache could see, which would be stuff it owns and stuff that is world readable. Is that correct? THANKS! Harold -- FCC Rules Updated Daily at http://www.hallikainen.com - Advertising opportunities available! |
From: Reini U. <ru...@x-...> - 2007-04-12 17:10:30
|
2007/4/12, Harold Hallikainen <ha...@ha...>: > > 2007/4/12, Sabri LABBENE <sab...@st...>: > >> Reini Urban wrote: > >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a > >> >php3 or php4 file, > >> >install a backdoor at port 8081 and have access to your whole > >> >disc and overtake the server. > >> > > >> >See http://ccteam.ru/releases/c99shell > >> > >> I think that the URL is wrong. > > > > This url obviously worked in 2006. Now it is gone. > > > > I submitted a critical security alert to CERT and it will be in the > > cve reports of mitre.org > > also then (hopefully). > > As the one who was attacked, I can give you the IP addresses of the > attackers. Second, instead of disallowed extensions, I think it would be > much safet to have a list of ALLOWED extensions. I see this as a todo in > the upload plugin. Hm, I will think about it. Other opinions? > I have set my upload directory as read only and require users to now email > me stuff to post. > > As to how much was visible to the hackers (and I have the code for their > script), it SEEMS that it would only be what user apache could see, which > would be stuff it owns and stuff that is world readable. Is that correct? Well not really. The c99shell script tries in various ways to get more access. At first it compiles and installs a backdoor at port 8081 and then with shell access it's normally quite easy for an experienced hacker to get root. -- Reini Urban http://phpwiki.org/ http://murbreak.at/ http://spacemovie.mur.at/ http://helsinki.at/ |
From: Harold H. <ha...@ha...> - 2007-04-12 17:31:56
|
> 2007/4/12, Harold Hallikainen <ha...@ha...>: >> > 2007/4/12, Sabri LABBENE <sab...@st...>: >> >> Reini Urban wrote: >> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload >> a >> >> >php3 or php4 file, >> >> >install a backdoor at port 8081 and have access to your whole >> >> >disc and overtake the server. >> >> > >> >> >See http://ccteam.ru/releases/c99shell >> >> >> >> I think that the URL is wrong. >> > >> > This url obviously worked in 2006. Now it is gone. >> > >> > I submitted a critical security alert to CERT and it will be in the >> > cve reports of mitre.org >> > also then (hopefully). >> >> As the one who was attacked, I can give you the IP addresses of the >> attackers. Second, instead of disallowed extensions, I think it would be >> much safet to have a list of ALLOWED extensions. I see this as a todo in >> the upload plugin. > > Hm, I will think about it. Other opinions? > >> I have set my upload directory as read only and require users to now >> email >> me stuff to post. >> >> As to how much was visible to the hackers (and I have the code for their >> script), it SEEMS that it would only be what user apache could see, >> which >> would be stuff it owns and stuff that is world readable. Is that >> correct? > > Well not really. The c99shell script tries in various ways to get more > access. > At first it compiles and installs a backdoor at port 8081 and then > with shell access it's normally quite easy for an experienced hacker > to get root. > > -- > Reini Urban THANKS for the support on this issue! I did an updatedb, then did locate c99. The only stuff that comes up is this: /usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp /usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp /usr/share/man/man1p/c99.1p.gz /usr/bin/c99 In addition, port 8081 is blocked at the router (for incoming requests). So, I'm hoping I'm ok! I really think an approved filetype list for uploads would be nice. It seems a lot easier than trying to anticipate everything bad that someone will try. THANKS for the support on this! Harold -- FCC Rules Updated Daily at http://www.hallikainen.com - Advertising opportunities available! |