shell script hacking

AndyII

AndyII

Verified User
Joined
Oct 3, 2006
Messages
576
Anyone here have any experience with this so called shell script named c99.php.
I just acquired a new client and If I hadnt needed to help him with moving his site, I would have never seen these files, I have heard of them before so when I saw them I deleted them before the site was active.
at first I thought of keeping a copy of them for study, but when I tried to download one of the files, my AV popped up and deleted as a trojan, the name was .admincp.php, other files there were backdoor.pl, this also was deleted by AV, .ssh.php, c99hix.php, server.exe, temp.php, nc, c99.php, others that were there.............................
 
Saw it many times :) You should want to enable open_basedir protection on your server and add some functions to disable_functions list :) Also, securing /tmp with nosuid,noexec is recommended too.
 
and to more protection, on your php safe_mode.

if php safe_mode off, the hacker can go around your server using that scripts ...
 
AndyII said:
Anyone here have any experience with this so called shell script named c99.php.
Click to expand...
There are many phishing scripts out there, C99shell.php is one of'em which provides a shell-like prompt to let you execute PHP code interactively.

The Php Shell is a Php based script. With this script a hacker can execute arbitrary shell commands or browse the file system on a remote web server. Hackers can also use such a script for transferring a malicious site as a compressed file, unpack and then run it on a Web server. Unless you have a script to scan the content of files hosted on your Web server otherwise hackers can disguise the r57shell or c99shell as an image or html file.

Disabling certain functions in the php.ini file and/or making /tmp directory nosuid,noexec are good, but securing a Web server involves more than that.
 
andyreed said:
Disabling certain functions in the php.ini file and/or making /tmp directory nosuid,noexec are good, but securing a Web server involves more than that.
Click to expand...
I finished my server hardening yesterday, making it protected against the shell scripts (some functions of it still works, but they are harmless).
 
DutchTSE, what functions would recommend that should be disabled in php?

thanks
 
symlink, system, exec, proc_get_status, proc_nice, proc_terminate, define_syslog_variables, syslog, openlog, closelog, escapeshellcmd, passthru, ocinumcols, ini_alter, leak, listen, chgrp, set_time_limit, apache_note, apache_setenv, debugger_on, debugger_off, ftp_exec, dl, dll, ftp, disk_free_space, disk_total_space, php_uname
 
DutchTSE said:
symlink, system, exec, proc_get_status, proc_nice, proc_terminate, define_syslog_variables, syslog, openlog, closelog, escapeshellcmd, passthru, ocinumcols, ini_alter, leak, listen, chgrp, set_time_limit, apache_note, apache_setenv, debugger_on, debugger_off, ftp_exec, dl, dll, ftp, disk_free_space, disk_total_space, php_uname
Click to expand...

Umm, are you trying to cripple your php installation? Thats exactly what your doing here. Obviously, you dont know what your doing. Seek professional advice.
 
pucky said:
Umm, are you trying to cripple your php installation? Thats exactly what your doing here. Obviously, you dont know what your doing. Seek professional advice.
Click to expand...
....
It's just disabling all the classes you don't need for a normal webserver.. i'm not saying you have to use this, it's your choice if you use it or not :)

Why should people with a website on a shared hosting server have the rights to execute system commands?
Why should people with a website on a shared hosting server have the rights to make symlinks?, terminate processes? etc. etc. etc.
 
Last edited:
in the php.ini file

safe mode was off

i change it to on and the script cannot to anything ...
 
Which means that the script is poorly written and can only run when left to run on an insecure server.

Jeff
 
being hacked

Can any of you ppl please help me, i run a chat site for wap and web users but over the last few weeks a script has appeared in circulation that allows them to empty every file from my server, i dont know what they are using as it also wipes logs.
My server is no help when i ask him and my coding knowledge is almost nil.
I wouldnt mind paying for your help if you can contact me please.
Thanks in Advance
Paul
 
did you

scotspaul,

did you read this blog already? maybe the answer is already here. if not, please give concrete infos which steps you did, which not, and were concrete are the problems.
you could start here:
smtalk said:
Saw it many times :) You should want to enable open_basedir protection on your server and add some functions to disable_functions list :) Also, securing /tmp with nosuid,noexec is recommended too.
Click to expand...
the following answers are also interessant.

2. you have no logs, ok, but do you have a backup-system? maybe you have a copy from the script and dont know? please post it, give the code.

3. which server-os, which controlpanel, which plugins etc. do you use? give as much info as possible.

4. whats the name from your wap-script, which other scripts, do you looked already to bugtraq lists if they`re listed?

5. are these your sites: scotspaul.co.uk, scotspaul.com ? Last updated: 20-Jan-2009 ?

6. do you have an demo-account 4 us there?

want to help
 
You must log in or register to reply here.
Back
Top