Results 1 to 21 of 21

Thread: c99shell

  1. #1

    c99shell

    hello
    the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
    i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server

    so is there any way to disable this kind of php file or at least disable some function within the file!
    i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!
    Last edited by adoobi; 09-03-2007 at 04:54 AM.

  2. #2
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    Install mod_security on the server. Add tight rules to the mod_sec conf. You can disable php functions server wide using the option disable_functions in php.ini.

    Eg:

    disable_functions = "passthru,readfile,shell_exec,escapeshellarg"
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  3. #3
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    You can install mod_block_worms & Update Rules for Mod_Security for your server.

    Mod_block_worms:

    Login ssh and su to root:

    wget http://html.conclase.net/cp/scripts/mod_block_worms.tgz

    tar zxf mod_block_worms.tgz

    cd mod_block_worms-0.1.1

    make all && make install
    After that add this to your httpd.conf:

    <IfModule mod_block_worms.c>

    BlockWormsSignature "r57shell.php" 500
    BlockWormsSignature "c99.php" 500
    BlockWormsSignature "cl.php" 500
    BlockWormsSignature "ShellBOT.txt" 500
    BlockWormsSignature "shell.php" 500
    BlockWormsSignature "cgitelnet.pl" 500
    BlockWormsSignature "phpshell.php" 500
    BlockWormsSignature "nstview.php" 500
    BlockWormsSignature "r57.php" 500
    BlockWormsSignature "phpHS.php" 500
    BlockWormsSignature "r57pws.pl" 500
    BlockWormsSignature "^/default.ida" 404
    BlockWormsSignature "^/passwd$" 404
    BlockWormsSignature "^/manual$" 404
    BlockWormsSignature "^/backup.sql$" 404

    BlockWormsLogFile /usr/local/apache/logs/block_worms_log

    </IfModule>
    Disable functions via php.ini, edit your php.ini file, Ctrl + W search disable_functions then add:

    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
    Save and restart apache.

    Update rules for Mod_security:

    You can get lastest rules from http://gotroot.com

    Good luck

  4. #4
    Join Date
    Nov 2003
    Location
    USA
    Posts
    877
    I made a script of this that check the server every night
    WHMCS Services / City Tecks
    WHMCS Development | Blesta / WISECP Developer

  5. #5
    Wouldn't php_suexec be usefull there ?

  6. #6
    Join Date
    May 2006
    Posts
    73
    Quote Originally Posted by SV_Ngheo View Post
    You can get lastest rules from..
    The site is only apache default page

  7. #7
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    VIETHOSTING.COM - Domain Name, Web Hosting, KVM VPS, Dedicated Servers & Co-Location in Vietnam

  8. #8
    Filename and/or signature blocking is completely pointless here.Your best bet is to disable the required php functions.

  9. #9
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    Quote Originally Posted by SV_Ngheo View Post
    If you just install the mod_sec rules it will block this sort of thing. I seem to see the "disable functions" recommendation very often but that is really not the recommended route.

    If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP

    http://www.hardened-php.net/
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  10. #10
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    456
    mod_sec is good for blocking c99shell, same with disabling functions. You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.

    I would first fix the problem of it being uploaded, then work on stopping the c99shell script from functioning on your server.

  11. #11
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Quote Originally Posted by htb View Post
    I made a script of this that check the server every night
    HOw's your script detecting it? If it's only based on filename, it's going to be pretty useless. Also, if the script is checking the contents of each file on the system, that's going to cause some heavy load issues, and it will most likely take a few hours for the script to check every file.

  12. #12
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,623
    good point, and it doesn't account for remote includes on all those insecure apps either.
    Quote Originally Posted by ub3r View Post
    HOw's your script detecting it? If it's only based on filename, it's going to be pretty useless. Also, if the script is checking the contents of each file on the system, that's going to cause some heavy load issues, and it will most likely take a few hours for the script to check every file.

  13. #13
    Join Date
    Nov 2006
    Location
    Melbourne, Australia
    Posts
    321
    You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.
    That won't help if it uses exec(), shell_exec() or system() or similar. These functions aren't restricted by open_basedir, as they're executed directly by PHP.

    On a server I once helped admin, I had the disable_functions set to:
    disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,dl,symlink
    I'm not sure how much of that is really needed

    If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP
    You mean Suhosin

    Wouldn't php_suexec be usefull there ?
    Yes, in a sense... Instead of things being executed as "nobody" or "www-data", they'd be executed as the user that owns the file. Theorerically, in this case, there shouldn't be any problems - The user can only access what they're meant to access, as the UNIX permissions would control this. This isn't always the case though... They can still write to files CHMODded to 0777.
    Last edited by Daniel15; 09-08-2007 at 09:48 PM.

  14. #14
    Greetings:

    [url removed] and [url removed] are malware (reported to abuse@aplus.net) whereby error.txt shows just an example of what php functions should be disabled.

    However, the error.txt script (lower down) raises a question.

    In the script, the hacker uses

    $disablefunc = @ini_get("disable_functions");

    Without disabling the entire "ini_get" functionality, is there a way to prevent ini_get from showing what functions are disabled?

    Thank you.
    Last edited by bear; 09-10-2007 at 10:55 AM.
    ---
    Peter M. Abraham
    LinkedIn Profile

  15. #15
    Join Date
    Jul 2003
    Posts
    533
    what about if the hacker uploaded a php.ini to remove the disabled functions ?

  16. #16
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    456
    Quote Originally Posted by BizB View Post
    what about if the hacker uploaded a php.ini to remove the disabled functions ?
    Thats not possible as disable functions can only be set and unset via the main php.ini configuration.

  17. #17
    Quote Originally Posted by adoobi View Post
    hello
    the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
    Actually, I think you got this all wrong. The biggest security issue is not the c99 shells or similar trojans.

    The issue you really need to concentrate on are the vulnerable scripts that allow hackers to upload c99 or other shells. Actually, the hackers can (usually) very well do without uploading c99 - the shells simply offer a convenience layer for them.

    So, find out exactly how the shells are getting uploaded (inspect your logs) and fix your security holes. No other way to not get hacked again.

  18. #18
    Join Date
    Jun 2007
    Location
    Jordan
    Posts
    324
    run these commands and see any nobody permission to upload in your server

    Code:
     find /home/*/public_html/ -perm 0777 -ls
    find /home*/public_html/ -uid 99 -ls
    Cheers !
    Learn whatever you read ...
    Some day you well tech ...
    E-Learning .

  19. #19
    Join Date
    Mar 2005
    Posts
    540
    Some of our customers use Mambo with external extensions,
    When I turn on safe_mode their websites have problem ,
    What should I do ?

  20. #20
    Join Date
    Oct 2007
    Posts
    83
    adoobi, there is another thread here;
    http://www.webhostingtalk.com/showthread.php?p=4858409

    Securing your server to prevent c99shell from accessing other accounts, and preventing it from being uploaded are two different things. Make sure you take steps on both of these tasks, it will help you in the long run.

    @webhostbeginner
    c99shell can be uploaded purposely via the template manager.
    Are the administrators (not owner) of the site on-board?

  21. #21
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    You need more than just disabling php functions, upload protection is where it's at.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •