hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : c99shell
Reply

Forum Jump

c99shell

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: Aug 2005
Location: Kuwait
Posts: 20

c99shell


hello
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server

so is there any way to disable this kind of php file or at least disable some function within the file!
i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!


Last edited by adoobi; 09-03-2007 at 04:54 AM.


Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Oct 2004
Location: Kerala, India
Posts: 4,740
Install mod_security on the server. Add tight rules to the mod_sec conf. You can disable php functions server wide using the option disable_functions in php.ini.

Eg:

disable_functions = "passthru,readfile,shell_exec,escapeshellarg"

__________________
David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android

  #3  
Old
Junior Guru Wannabe
 
Join Date: Apr 2005
Posts: 81
You can install mod_block_worms & Update Rules for Mod_Security for your server.

Mod_block_worms:

Login ssh and su to root:

Quote:
wget http://html.conclase.net/cp/scripts/mod_block_worms.tgz

tar zxf mod_block_worms.tgz

cd mod_block_worms-0.1.1

make all && make install
After that add this to your httpd.conf:

Quote:
<IfModule mod_block_worms.c>

BlockWormsSignature "r57shell.php" 500
BlockWormsSignature "c99.php" 500
BlockWormsSignature "cl.php" 500
BlockWormsSignature "ShellBOT.txt" 500
BlockWormsSignature "shell.php" 500
BlockWormsSignature "cgitelnet.pl" 500
BlockWormsSignature "phpshell.php" 500
BlockWormsSignature "nstview.php" 500
BlockWormsSignature "r57.php" 500
BlockWormsSignature "phpHS.php" 500
BlockWormsSignature "r57pws.pl" 500
BlockWormsSignature "^/default.ida" 404
BlockWormsSignature "^/passwd$" 404
BlockWormsSignature "^/manual$" 404
BlockWormsSignature "^/backup.sql$" 404

BlockWormsLogFile /usr/local/apache/logs/block_worms_log

</IfModule>
Disable functions via php.ini, edit your php.ini file, Ctrl + W search disable_functions then add:

Quote:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Save and restart apache.

Update rules for Mod_security:

You can get lastest rules from http://gotroot.com

Good luck

Sponsored Links
  #4  
Old
Web Development
 
Join Date: Nov 2003
Location: USA
Posts: 694
I made a script of this that check the server every night

__________________
Host The Best - sales (at) hostthebest.com
Web Development | WHMCS Addons / Modules

  #5  
Old
Junior Guru
 
Join Date: Mar 2006
Posts: 221
Wouldn't php_suexec be usefull there ?

  #6  
Old
Junior Guru Wannabe
 
Join Date: May 2006
Posts: 72
Quote:
Originally Posted by SV_Ngheo View Post
You can get lastest rules from..
The site is only apache default page

  #7  
Old
Junior Guru Wannabe
 
Join Date: Apr 2005
Posts: 81

__________________
WWW.VIETHOSTING.VN - Viet Nam Hosting Solutions

  #8  
Old
WHT Addict
 
Join Date: Jul 2004
Posts: 146
Filename and/or signature blocking is completely pointless here.Your best bet is to disable the required php functions.

  #9  
Old
Web Hosting Master
 
Join Date: Jun 2006
Location: NYC
Posts: 1,408
Quote:
Originally Posted by SV_Ngheo View Post
If you just install the mod_sec rules it will block this sort of thing. I seem to see the "disable functions" recommendation very often but that is really not the recommended route.

If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP

http://www.hardened-php.net/

  #10  
Old
Aspiring Evangelist
 
Join Date: Apr 2004
Location: Australia
Posts: 448
mod_sec is good for blocking c99shell, same with disabling functions. You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.

I would first fix the problem of it being uploaded, then work on stopping the c99shell script from functioning on your server.

  #11  
Old
Disabled
 
Join Date: Dec 2002
Location: chica go go
Posts: 11,858
Quote:
Originally Posted by htb View Post
I made a script of this that check the server every night
HOw's your script detecting it? If it's only based on filename, it's going to be pretty useless. Also, if the script is checking the contents of each file on the system, that's going to cause some heavy load issues, and it will most likely take a few hours for the script to check every file.

  #12  
Old
Owner of the net for a day
 
Join Date: Jun 2002
Location: Waco, TX
Posts: 5,031
good point, and it doesn't account for remote includes on all those insecure apps either.
Quote:
Originally Posted by ub3r View Post
HOw's your script detecting it? If it's only based on filename, it's going to be pretty useless. Also, if the script is checking the contents of each file on the system, that's going to cause some heavy load issues, and it will most likely take a few hours for the script to check every file.

__________________
Jodohost Operations Manager Twitter status feed: https://twitter.com/jodohostcom
Now offering Plesk Hosting on Windows or Linux.

  #13  
Old
Web Hosting Guru
 
Join Date: Nov 2006
Location: Melbourne, Australia
Posts: 310
Quote:
You could also enable open_basedir to stop the c99shell script from doing any damage outside of the users account.
That won't help if it uses exec(), shell_exec() or system() or similar. These functions aren't restricted by open_basedir, as they're executed directly by PHP.

On a server I once helped admin, I had the disable_functions set to:
Quote:
disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,dl,symlink
I'm not sure how much of that is really needed

Quote:
If you do not want to deal with all of the additional modules/rule updates then I would recommend installing: Hardened-PHP
You mean Suhosin

Quote:
Wouldn't php_suexec be usefull there ?
Yes, in a sense... Instead of things being executed as "nobody" or "www-data", they'd be executed as the user that owns the file. Theorerically, in this case, there shouldn't be any problems - The user can only access what they're meant to access, as the UNIX permissions would control this. This isn't always the case though... They can still write to files CHMODded to 0777.


Last edited by Daniel15; 09-08-2007 at 09:48 PM.
  #14  
Old
Web Hosting Master
 
Join Date: Dec 2001
Posts: 5,221
Greetings:

[url removed] and [url removed] are malware (reported to abuse@aplus.net) whereby error.txt shows just an example of what php functions should be disabled.

However, the error.txt script (lower down) raises a question.

In the script, the hacker uses

$disablefunc = @ini_get("disable_functions");

Without disabling the entire "ini_get" functionality, is there a way to prevent ini_get from showing what functions are disabled?

Thank you.

__________________
---
Peter M. Abraham
LinkedIn Profile



Last edited by bear; 09-10-2007 at 10:55 AM.
  #15  
Old
Web Hosting Evangelist
 
Join Date: Jul 2003
Posts: 527
what about if the hacker uploaded a php.ini to remove the disabled functions ?

Reply

Related posts from TheWhir.com
Title Type Date Posted
Shellshock-Based Malware Campaign Poses Threat to Mail Servers Web Hosting News 2014-10-28 15:33:56
HostGator Says Reports of a Server Breach by CaLLSTaCK are a Hoax Web Hosting News 2014-10-23 11:57:54
Could the Shellshock Vulnerability be the Next Heartbleed? Web Hosting News 2014-09-25 13:44:40
Nexcess Uncovers Magento Exploit That Allows Hackers to Skim Credit Card Data During Checkout Web Hosting News 2014-07-30 14:10:13
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?