Good day,
Here is a follow-up on the written by Jeff Tickle, our systems
administrator.
-------------------------------------------------------------------------
Long story short, upgrade to phpWebSite 1.6.1 from Sourceforge.
The exploit code in Init.php does the following:
1. See if ./files/writetest exists
2. If not, send an email to dda...@gm... with your host name
and the script path, and create /files/writetest
3. If the GET variable 'viewtables' is set, execute c99MadShell.
c99MadShell is a php-based shell, more info here:
http://www.derekfountain.org/security_c99madshell.php
The attacker would have been restricted to the apache user. So, if you
are using suPHP, the damage won't be as bad, although they could still
upload files to a writable served path. The only way the attacker could
get root privileges is if the apache user could be used to find out
your root password somehow, like if your /etc/shadow file is world
readable or some such.
Things to check for:
1. The exploited code in core/class/Init.php around line 102
2. 'writetest' file under 'files' directory in each phpWebSite
installation
3. 'dda...@gm...' destination address in your email logs
4. 'viewtables' GET variable in your web server access logs
1 and 2 mean you have the exploit, 3 means the author was notified, and
4 means someone tried to use it.
I'll post more as I learn more...
-Jeff
--------------------------------------------------------------------------
--
Matthew McNaney
Electronic Student Services
Appalachian State University
Ext. 6493
http://ess.appstate.edu
http://phpwebsite.appstate.edu
|
