Results 1 to 21 of 21
Thread: c99shell
-
09-03-2007, 04:51 AM #1Newbie
- Join Date
- Aug 2005
- Location
- Kuwait
- Posts
- 20
c99shell
hello
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server
so is there any way to disable this kind of php file or at least disable some function within the file!
i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!Last edited by adoobi; 09-03-2007 at 04:54 AM.
-
09-03-2007, 05:00 AM #2Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
Install mod_security on the server. Add tight rules to the mod_sec conf. You can disable php functions server wide using the option disable_functions in php.ini.
Eg:
disable_functions = "passthru,readfile,shell_exec,escapeshellarg"David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
-
09-03-2007, 05:26 AM #3Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
You can install mod_block_worms & Update Rules for Mod_Security for your server.
Mod_block_worms:
Login ssh and su to root:
wget http://html.conclase.net/cp/scripts/mod_block_worms.tgz
tar zxf mod_block_worms.tgz
cd mod_block_worms-0.1.1
make all && make install
<IfModule mod_block_worms.c>
BlockWormsSignature "r57shell.php" 500
BlockWormsSignature "c99.php" 500
BlockWormsSignature "cl.php" 500
BlockWormsSignature "ShellBOT.txt" 500
BlockWormsSignature "shell.php" 500
BlockWormsSignature "cgitelnet.pl" 500
BlockWormsSignature "phpshell.php" 500
BlockWormsSignature "nstview.php" 500
BlockWormsSignature "r57.php" 500
BlockWormsSignature "phpHS.php" 500
BlockWormsSignature "r57pws.pl" 500
BlockWormsSignature "^/default.ida" 404
BlockWormsSignature "^/passwd$" 404
BlockWormsSignature "^/manual$" 404
BlockWormsSignature "^/backup.sql$" 404
BlockWormsLogFile /usr/local/apache/logs/block_worms_log
</IfModule>
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Update rules for Mod_security:
You can get lastest rules from http://gotroot.com
Good luck
-
09-03-2007, 03:23 PM #4WS Developer
- Join Date
- Nov 2003
- Location
- USA
- Posts
- 877
I made a script of this that check the server every night
-
09-03-2007, 03:41 PM #5Junior Guru
- Join Date
- Mar 2006
- Posts
- 221
Wouldn't php_suexec be usefull there ?
-
09-07-2007, 02:16 PM #6Junior Guru Wannabe
- Join Date
- May 2006
- Posts
- 73
-
09-07-2007, 02:26 PM #7Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
You can check here: http://gotroot.com/tiki-index.php?pa...security+rules
VIETHOSTING.COM - Domain Name, Web Hosting, KVM VPS, Dedicated Servers & Co-Location in Vietnam
-
09-07-2007, 04:14 PM #8WHT Addict
- Join Date
- Jul 2004
- Posts
- 148
Filename and/or signature blocking is completely pointless here.Your best bet is to disable the required php functions.
-
09-07-2007, 09:26 PM #9Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
If you just install the mod_sec rules it will block this sort of thing. I seem to see the "disable functions" recommendation very often but that is really not the recommended route.
If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP
http://www.hardened-php.net/≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
09-07-2007, 11:45 PM #10Web Hosting Evangelist
- Join Date
- Apr 2004
- Location
- Australia
- Posts
- 456
mod_sec is good for blocking c99shell, same with disabling functions. You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.
I would first fix the problem of it being uploaded, then work on stopping the c99shell script from functioning on your server.
-
09-08-2007, 12:27 AM #11Disabled
- Join Date
- Dec 2002
- Location
- chica go go
- Posts
- 11,876
HOw's your script detecting it? If it's only based on filename, it's going to be pretty useless. Also, if the script is checking the contents of each file on the system, that's going to cause some heavy load issues, and it will most likely take a few hours for the script to check every file.
-
09-08-2007, 02:07 AM #12Owner of the net for a day
- Join Date
- Jun 2002
- Location
- Waco, TX
- Posts
- 5,623
-
09-08-2007, 09:45 PM #13Web Hosting Guru
- Join Date
- Nov 2006
- Location
- Melbourne, Australia
- Posts
- 321
You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.
On a server I once helped admin, I had the disable_functions set to:
disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,dl,symlink
If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP
Wouldn't php_suexec be usefull there ?Last edited by Daniel15; 09-08-2007 at 09:48 PM.
-
09-10-2007, 10:49 AM #14Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
[url removed] and [url removed] are malware (reported to abuse@aplus.net) whereby error.txt shows just an example of what php functions should be disabled.
However, the error.txt script (lower down) raises a question.
In the script, the hacker uses
$disablefunc = @ini_get("disable_functions");
Without disabling the entire "ini_get" functionality, is there a way to prevent ini_get from showing what functions are disabled?
Thank you.Last edited by bear; 09-10-2007 at 10:55 AM.
-
10-21-2007, 12:59 AM #15Web Hosting Evangelist
- Join Date
- Jul 2003
- Posts
- 533
what about if the hacker uploaded a php.ini to remove the disabled functions ?
-
10-21-2007, 01:05 AM #16Web Hosting Evangelist
- Join Date
- Apr 2004
- Location
- Australia
- Posts
- 456
-
10-22-2007, 05:12 AM #17Newbie
- Join Date
- Oct 2007
- Posts
- 11
Actually, I think you got this all wrong. The biggest security issue is not the c99 shells or similar trojans.
The issue you really need to concentrate on are the vulnerable scripts that allow hackers to upload c99 or other shells. Actually, the hackers can (usually) very well do without uploading c99 - the shells simply offer a convenience layer for them.
So, find out exactly how the shells are getting uploaded (inspect your logs) and fix your security holes. No other way to not get hacked again.
-
10-22-2007, 05:27 AM #18Web Hosting Guru
- Join Date
- Jun 2007
- Location
- Jordan
- Posts
- 324
run these commands and see any nobody permission to upload in your server
Code:find /home/*/public_html/ -perm 0777 -ls find /home*/public_html/ -uid 99 -ls
Learn whatever you read ...
Some day you well tech ...
E-Learning .
-
12-17-2007, 12:23 PM #19Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
Some of our customers use Mambo with external extensions,
When I turn on safe_mode their websites have problem ,
What should I do ?
-
12-17-2007, 03:08 PM #20Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 83
adoobi, there is another thread here;
http://www.webhostingtalk.com/showthread.php?p=4858409
Securing your server to prevent c99shell from accessing other accounts, and preventing it from being uploaded are two different things. Make sure you take steps on both of these tasks, it will help you in the long run.
@webhostbeginner
c99shell can be uploaded purposely via the template manager.
Are the administrators (not owner) of the site on-board?
-
12-18-2007, 10:52 AM #21Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
You need more than just disabling php functions, upload protection is where it's at.