Re: [Phpwiki-talk] IMPORTANT More UpLoad hacks

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

2007/4/12, Harold Hallikainen <ha...@ha...>:
> > 2007/4/12, Sabri LABBENE <sab...@st...>:
> >> Reini Urban wrote:
> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a
> >> >php3 or php4 file,
> >> >install a backdoor at port 8081 and have access to your whole
> >> >disc and overtake the server.
> >> >
> >> >See http://ccteam.ru/releases/c99shell
> >>
> >> I think that the URL is wrong.
> >
> > This url obviously worked in 2006. Now it is gone.
> >
> > I submitted a critical security alert to CERT and it will be in the
> > cve reports of mitre.org
> > also then (hopefully).
>
> As the one who was attacked, I can give you the IP addresses of the
> attackers. Second, instead of disallowed extensions, I think it would be
> much safet to have a list of ALLOWED extensions. I see this as a todo in
> the upload plugin.

Hm, I will think about it. Other opinions?

> I have set my upload directory as read only and require users to now email
> me stuff to post.
>
> As to how much was visible to the hackers (and I have the code for their
> script), it SEEMS that it would only be what user apache could see, which
> would be stuff it owns and stuff that is world readable. Is that correct?

Well not really. The c99shell script tries in various ways to get more access.
At first it compiles and installs a backdoor at port 8081 and then
with shell access it's normally quite easy for an experienced hacker
to get root.

-- 
Reini Urban
http://phpwiki.org/              http://murbreak.at/
http://spacemovie.mur.at/   http://helsinki.at/