Re: IMPORTANT More UpLoad hacks
Click to flag this post 3 stars [3 stars] [3 stars]
by Harold Hallikainen Apr 12, 2007; 12:31pm :: Rate this Message: – Use ratings to moderate (?)
Reply | Reply to Author | View Threaded | Show Only this Message
> 2007/4/12, Harold Hallikainen
>> > 2007/4/12, Sabri LABBENE
>> >> Reini Urban wrote:
>> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload
>> >> >php3 or php4 file,
>> >> >install a backdoor at port 8081 and have access to your whole
>> >> >disc and overtake the server.
>> >> >
>> >> >See http://ccteam.ru/releases/c99shell
>> >> I think that the URL is wrong.
>> > This url obviously worked in 2006. Now it is gone.
>> > I submitted a critical security alert to CERT and it will be in the
>> > cve reports of mitre.org
>> > also then (hopefully).
>> As the one who was attacked, I can give you the IP addresses of the
>> attackers. Second, instead of disallowed extensions, I think it would be
>> much safet to have a list of ALLOWED extensions. I see this as a todo in
>> the upload plugin.
> Hm, I will think about it. Other opinions?
>> I have set my upload directory as read only and require users to now
>> me stuff to post.
>> As to how much was visible to the hackers (and I have the code for their
>> script), it SEEMS that it would only be what user apache could see,
>> would be stuff it owns and stuff that is world readable. Is that
> Well not really. The c99shell script tries in various ways to get more
> At first it compiles and installs a backdoor at port 8081 and then
> with shell access it’s normally quite easy for an experienced hacker
> to get root.
> Reini Urban
THANKS for the support on this issue! I did an updatedb, then did locate
c99. The only stuff that comes up is this:
In addition, port 8081 is blocked at the router (for incoming requests).
So, I’m hoping I’m ok!