Hack attempt
- Thread starter dannygoh
- Start date
hostpc.com
Verified User
Well, isn't that a nifty little script.
It'll certainely provide a LOT of information about the server it's running on, and will also allow the user to obtain a nice PHP shell account (not sure if it's root level or not).
Using this shell, they can perform various functions on your site, depending on your file security settings.
Where/how did you acquire this?
It'll certainely provide a LOT of information about the server it's running on, and will also allow the user to obtain a nice PHP shell account (not sure if it's root level or not).
Using this shell, they can perform various functions on your site, depending on your file security settings.
Where/how did you acquire this?
Last edited:
hostpc.com
Verified User
I'd be getting rid of that account REAL fast.
hackerpitbull
Verified User
- Joined
- Dec 25, 2004
- Messages
- 64
hackerpitbull
Verified User
- Joined
- Dec 25, 2004
- Messages
- 64
This file attemps to hack the client computer not the server..dannygoh said:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Let's start again...
Read what Joe (hostpc.com) replied in his first reply to you.
This is a perfectly valid php script, which nothing will detect. By default the output is in Russian, but there's a flag to change it to English.
Of course neither RKHunter nor chkrootkit will find it; they're designed to find rootkits, and this is NOT a rootkit.
If you're not sure what a rootkit is, google for the definition.
I was just on the phone with Onno; he thinks it's not a shell, but it offers a lot of information.
And as you'd expect from a php script, it offers a lot less information if you have safe_mode enabled than if you don't.
Three other things to note:
1) it does have a place in the code ot enter a default username and password; if that's correct on your server it may login as that user (not tested by me). And it the default in the script may be for a known username entered by a known hack; I don't know.
2) Onno just told me he doesn't see the "shell" functionality that Joe mentions. Onno only sees menu access to shell functions.
Joe, did you get it to act as a shell?
3) If your TOS doesn't allow shell access you can probably consider the script a violation of your TOS, but perhaps not; it may be time for our TOS to specifically disallow menu access to shell functions.
More information to come, I'm sure
.
Jeff
Read what Joe (hostpc.com) replied in his first reply to you.
This is a perfectly valid php script, which nothing will detect. By default the output is in Russian, but there's a flag to change it to English.
Of course neither RKHunter nor chkrootkit will find it; they're designed to find rootkits, and this is NOT a rootkit.
If you're not sure what a rootkit is, google for the definition.
I was just on the phone with Onno; he thinks it's not a shell, but it offers a lot of information.
And as you'd expect from a php script, it offers a lot less information if you have safe_mode enabled than if you don't.
Three other things to note:
1) it does have a place in the code ot enter a default username and password; if that's correct on your server it may login as that user (not tested by me). And it the default in the script may be for a known username entered by a known hack; I don't know.
2) Onno just told me he doesn't see the "shell" functionality that Joe mentions. Onno only sees menu access to shell functions.
Joe, did you get it to act as a shell?
3) If your TOS doesn't allow shell access you can probably consider the script a violation of your TOS, but perhaps not; it may be time for our TOS to specifically disallow menu access to shell functions.
More information to come, I'm sure
.Jeff
My first reaction was ... "Why are you posting a hacking script on the forum?". After talking to my Partner, Jeff, I had a look at the script.
What did I find...
This script is NOT a shell script in that it does not give you a shell on a remote server.
This script runs as the user you install it as (Make sure PHP SAFE_MODE is turned ON otherwise the user is apache)
This script allows you to execute any PHP command you like.
This script has the ability to edit any file you have access to
This script allows you to upload files in directories you have access to (this could be misused to upload other more dangerous scripts)
There are 3 attempts to get around Open_basedir and safe_mode by attempting to use different ways to access files on the system.
With this script you can access mySQL databases (if you have the userid and password.
Note that all of this can be done by anyone with a little PHP knowledge and some time.
I did see that this script while it has a lot of functionality is not very well written, viewing/editing the file itself with the tool causes major problems.
After looking at the script I am less inclined to say that you should immediately remove the user from your server, quite likely he is simply looking for a handy tool to be able to manipulate files and also a way to bypass the limitations of the filemanager in DA.
What would I recommend........
Keep Safe-Mode turned ON
Keep an eye on that user
Keep checking to see if the user uploads other files that might cause problems.
What did I find...
This script is NOT a shell script in that it does not give you a shell on a remote server.
This script runs as the user you install it as (Make sure PHP SAFE_MODE is turned ON otherwise the user is apache)
This script allows you to execute any PHP command you like.
This script has the ability to edit any file you have access to
This script allows you to upload files in directories you have access to (this could be misused to upload other more dangerous scripts)
There are 3 attempts to get around Open_basedir and safe_mode by attempting to use different ways to access files on the system.
With this script you can access mySQL databases (if you have the userid and password.
Note that all of this can be done by anyone with a little PHP knowledge and some time.
I did see that this script while it has a lot of functionality is not very well written, viewing/editing the file itself with the tool causes major problems.
After looking at the script I am less inclined to say that you should immediately remove the user from your server, quite likely he is simply looking for a handy tool to be able to manipulate files and also a way to bypass the limitations of the filemanager in DA.
What would I recommend........
Keep Safe-Mode turned ON
Keep an eye on that user
Keep checking to see if the user uploads other files that might cause problems.
hackerpitbull said:
Not quite true... McAfee reports it as "BackDoor-CUS!php". This is correct, it it a type of backdoor but so is the FileManager of DA and several FileManagers you can install from Installatron. It just depends on your definition of a BackDoor.
Definition of a BackDoor from the McAfee website:
---------
A feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. Also: Trapdoor.
---------
This script allows CHOWN and CHGRP, you could argue that that is not default functionality a user without SHELL access is allowed to do and therefor this is a backdoor.
Last edited:
hostpc.com
Verified User
What I found was this was an issue at one time with OSCommerce and phpBB (one reason why I dont allow phpBB). This script does indeed allow a php shell, allowing the user to write/execute files, etc. Most often, files uploaded with this were / are used to write to /tmp and /var/tmp as a txt file - then executed under a perl handler.
It's (r57shell) technically a "back door trojan" I guess - but whatever you want to call it, it's _not_ a healthy script to find on your servers.
Basis for conclusion:
http://forums.oscommerce.com/lofiversion/index.php/t162034.html
https://www.redhat.com/archives/fedora-list/2005-July/msg04014.html
http://www.sarc.com/avcenter/venc/data/php.rstbackdoor.html
It's (r57shell) technically a "back door trojan" I guess - but whatever you want to call it, it's _not_ a healthy script to find on your servers.
Basis for conclusion:
http://forums.oscommerce.com/lofiversion/index.php/t162034.html
https://www.redhat.com/archives/fedora-list/2005-July/msg04014.html
http://www.sarc.com/avcenter/venc/data/php.rstbackdoor.html
jlasman said:Let's start again...
Read what Joe (hostpc.com) replied in his first reply to you.
This is a perfectly valid php script, which nothing will detect. By default the output is in Russian, but there's a flag to change it to English.
Of course neither RKHunter nor chkrootkit will find it; they're designed to find rootkits, and this is NOT a rootkit.
If you're not sure what a rootkit is, google for the definition.
I was just on the phone with Onno; he thinks it's not a shell, but it offers a lot of information.
And as you'd expect from a php script, it offers a lot less information if you have safe_mode enabled than if you don't.
Three other things to note:
1) it does have a place in the code ot enter a default username and password; if that's correct on your server it may login as that user (not tested by me). And it the default in the script may be for a known username entered by a known hack; I don't know.
2) Onno just told me he doesn't see the "shell" functionality that Joe mentions. Onno only sees menu access to shell functions.
Joe, did you get it to act as a shell?
3) If your TOS doesn't allow shell access you can probably consider the script a violation of your TOS, but perhaps not; it may be time for our TOS to specifically disallow menu access to shell functions.
More information to come, I'm sure
Jeff
hostpc.com
Verified User
resolveit said:
Not quite true...
Any script that allows a user to Execute shell commands on /bin/bash is technically considered a "shell" - think Fileman, etc.
Hi HostPC,
I've not found anything in this script I cannot do in any other PHP program I write myself. I've not seen an option to get a shell but I assume I can write a PHP oneliner to get it.
Where this script is dangerous is when it is freely accessible to everyone on the net and not just the accountholder because anybode with access to this script can execute a PHP command and as I said you can write a PHP oneliner to get SHELL.
On the testserver I installed this on I ensured it was behind password protected directory access. This to ensure no one else got access to it while I looked at the script.
I've not found anything in this script I cannot do in any other PHP program I write myself. I've not seen an option to get a shell but I assume I can write a PHP oneliner to get it.
Where this script is dangerous is when it is freely accessible to everyone on the net and not just the accountholder because anybode with access to this script can execute a PHP command and as I said you can write a PHP oneliner to get SHELL.
On the testserver I installed this on I ensured it was behind password protected directory access. This to ensure no one else got access to it while I looked at the script.
hostpc.com
Verified User
Not while that script exists ... we can't say yes or no.
You need to do a security check on your system-
1) is safe mode enabled?
2) has this script been removed?
3) have vulnerable applications been updated? (phpBB, awstats, nuke variants, etc)
4) are your modules up to date?
Nobody can answer that without logging into your server and checking for remnants of this.
You need to do a security check on your system-
1) is safe mode enabled?
2) has this script been removed?
3) have vulnerable applications been updated? (phpBB, awstats, nuke variants, etc)
4) are your modules up to date?
Nobody can answer that without logging into your server and checking for remnants of this.
fusionictnl
Verified User
I would like to take a look at the script too:: mail tech [at] fusion-ict.nl
Well that's not quite true. The DA's setup still runs PHP as apache. Even if SAFE_MODE is ON.
SuexecUserGroup x x Does only work if PHP is running as CLI and not while it's compiled as a module (APXS) wich is standard on my CENTOS install and FC.
Well that's not quite true. The DA's setup still runs PHP as apache. Even if SAFE_MODE is ON.
SuexecUserGroup x x Does only work if PHP is running as CLI and not while it's compiled as a module (APXS) wich is standard on my CENTOS install and FC.