PHP/BackDoor.gen
McAfee has developed a generic detection - PHP/BackDoor.gen. They say it's a detection for a "remote access trojan written in PHP scripting language.".
One use of it happened at and is described here and says;
"The attack came about because of major security hole in the Simple PHP Blog that was being used in political subdomain of the Nos site. The security hole allowed for an outside CGI script injection that revealed the login and password for the blog. From there, the hacker used the c99shell.php (v.1.0 pre-release build #13) script , which while not allowing direct admin access to the server and it's modules, allows for deletion of basically all common and not so commom files from the root level all the way down. So, this is why everything was gone from the site, as the hacker just deleted everything from the sever itself.
I went to blog author's site and saw that several other people has also suffered the same fate, although in their cases it was generally only the blog itself that was hacked as that was all they were using on their site. In any case, I did let them have a piece of my mind and basically saying that anything that is that wide open should not even be released as an alpha version, much less beta.
I went over my data logs and was able to easily obain the hacker's ip address as well as all activity on the site. Their host., ISP and the FBI will be contacted this week about this intrusion.
I urge everyone who is using SImple PHP Blog to remove it from your server and use a more secure blog, such as Serendipity.."".
Not included in the McAfee write up of their version of c99shell.txt is some basic default information (from c99shell.php v.1.0 pre-release build #16);
xxxxx
$nixpwdperpage = 100; // Get first N lines from /etc/passwd
xxxxx
$bindport_pass = "c99"; // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe
xxxxx
all suid files", "find / -type f -perm -04000 -ls
suid files in current dir", "find . -type f -perm -04000 -ls
all sgid files", "find / -type f -perm -02000 -ls
sgid files in current dir", "find . -type f -perm -02000 -ls
config.inc.php files", "find / -type f -name config.inc.php
config* files", "find / -type f -name \"config*\"
config* files in current dir", "find . -type f -name \"config*\"
all writable folders and files", "find / -perm -2 -ls"),
all writable folders and files in current dir", "find . -perm -2 -ls
all service.pwd files", "find / -type f -name service.pwd
service.pwd files in current dir", "find . -type f -name service.pwd
all .htpasswd files", "find / -type f -name .htpasswd
.htpasswd files in current dir", "find . -type f -name .htpasswd
all .bash_history files", "find / -type f -name .bash_history
.bash_history files in current dir", "find . -type f -name .bash_history
all .fetchmailrc files", "find / -type f -name .fetchmailrc
.fetchmailrc files in current dir", "find . -type f -name .fetchmailrc
list file attributes on a Linux second extended file system", "lsattr -va
show opened ports", "netstat -an | grep -i listen
xxxxx
Attention! SQL-Manager is <u>NOT</u> ready module! Don't reports bugs.
xxxxx
echo "<b>Ftp Quick brute:</b><br>";
if (!win) {echo "This functions not work in Windows!<br><br>";}
xxxxx
Simple PHP Blog vulnerability and patch link for Secunia.
One use of it happened at and is described here and says;
"The attack came about because of major security hole in the Simple PHP Blog that was being used in political subdomain of the Nos site. The security hole allowed for an outside CGI script injection that revealed the login and password for the blog. From there, the hacker used the c99shell.php (v.1.0 pre-release build #13) script , which while not allowing direct admin access to the server and it's modules, allows for deletion of basically all common and not so commom files from the root level all the way down. So, this is why everything was gone from the site, as the hacker just deleted everything from the sever itself.
I went to blog author's site and saw that several other people has also suffered the same fate, although in their cases it was generally only the blog itself that was hacked as that was all they were using on their site. In any case, I did let them have a piece of my mind and basically saying that anything that is that wide open should not even be released as an alpha version, much less beta.
I went over my data logs and was able to easily obain the hacker's ip address as well as all activity on the site. Their host., ISP and the FBI will be contacted this week about this intrusion.
I urge everyone who is using SImple PHP Blog to remove it from your server and use a more secure blog, such as Serendipity.."".
Not included in the McAfee write up of their version of c99shell.txt is some basic default information (from c99shell.php v.1.0 pre-release build #16);
xxxxx
$nixpwdperpage = 100; // Get first N lines from /etc/passwd
xxxxx
$bindport_pass = "c99"; // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe
xxxxx
all suid files", "find / -type f -perm -04000 -ls
suid files in current dir", "find . -type f -perm -04000 -ls
all sgid files", "find / -type f -perm -02000 -ls
sgid files in current dir", "find . -type f -perm -02000 -ls
config.inc.php files", "find / -type f -name config.inc.php
config* files", "find / -type f -name \"config*\"
config* files in current dir", "find . -type f -name \"config*\"
all writable folders and files", "find / -perm -2 -ls"),
all writable folders and files in current dir", "find . -perm -2 -ls
all service.pwd files", "find / -type f -name service.pwd
service.pwd files in current dir", "find . -type f -name service.pwd
all .htpasswd files", "find / -type f -name .htpasswd
.htpasswd files in current dir", "find . -type f -name .htpasswd
all .bash_history files", "find / -type f -name .bash_history
.bash_history files in current dir", "find . -type f -name .bash_history
all .fetchmailrc files", "find / -type f -name .fetchmailrc
.fetchmailrc files in current dir", "find . -type f -name .fetchmailrc
list file attributes on a Linux second extended file system", "lsattr -va
show opened ports", "netstat -an | grep -i listen
xxxxx
Attention! SQL-Manager is <u>NOT</u> ready module! Don't reports bugs.
xxxxx
echo "<b>Ftp Quick brute:</b><br>";
if (!win) {echo "This functions not work in Windows!<br><br>";}
xxxxx
Simple PHP Blog vulnerability and patch link for Secunia.
Keywords:
0 comment(s)
×
Diary Archives
Comments