Re: [Phpwiki-talk] IMPORTANT More UpLoad hacks

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> 2007/4/12, Harold Hallikainen <ha...@ha...>:
>> > 2007/4/12, Sabri LABBENE <sab...@st...>:
>> >> Reini Urban wrote:
>> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload
>> a
>> >> >php3 or php4 file,
>> >> >install a backdoor at port 8081 and have access to your whole
>> >> >disc and overtake the server.
>> >> >
>> >> >See http://ccteam.ru/releases/c99shell
>> >>
>> >> I think that the URL is wrong.
>> >
>> > This url obviously worked in 2006. Now it is gone.
>> >
>> > I submitted a critical security alert to CERT and it will be in the
>> > cve reports of mitre.org
>> > also then (hopefully).
>>
>> As the one who was attacked, I can give you the IP addresses of the
>> attackers. Second, instead of disallowed extensions, I think it would be
>> much safet to have a list of ALLOWED extensions. I see this as a todo in
>> the upload plugin.
>
> Hm, I will think about it. Other opinions?
>
>> I have set my upload directory as read only and require users to now
>> email
>> me stuff to post.
>>
>> As to how much was visible to the hackers (and I have the code for their
>> script), it SEEMS that it would only be what user apache could see,
>> which
>> would be stuff it owns and stuff that is world readable. Is that
>> correct?
>
> Well not really. The c99shell script tries in various ways to get more
> access.
> At first it compiles and installs a backdoor at port 8081 and then
> with shell access it's normally quite easy for an experienced hacker
> to get root.
>
> --
> Reini Urban

THANKS for the support on this issue! I did an updatedb, then did locate
c99. The only stuff that comes up is this:

/usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp
/usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp
/usr/share/man/man1p/c99.1p.gz
/usr/bin/c99

In addition, port 8081 is blocked at the router (for incoming requests).
So, I'm hoping I'm ok!

I really think an approved filetype list for uploads would be nice. It
seems a lot easier than trying to anticipate everything bad that someone
will try.

THANKS for the support on this!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!