Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: PHP/BackDoor.gen - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PHP/BackDoor.gen
McAfee has developed a generic detection - PHP/BackDoor.gen. They say it's a detection for a "remote access trojan written in PHP scripting language.".

One use of it happened at and is described here and says;

"The attack came about because of major security hole in the Simple PHP Blog that was being used in political subdomain of the Nos site. The security hole allowed for an outside CGI script injection that revealed the login and password for the blog. From there, the hacker used the c99shell.php (v.1.0 pre-release build #13) script , which while not allowing direct admin access to the server and it's modules, allows for deletion of basically all common and not so commom files from the root level all the way down. So, this is why everything was gone from the site, as the hacker just deleted everything from the sever itself.

I went to blog author's site and saw that several other people has also suffered the same fate, although in their cases it was generally only the blog itself that was hacked as that was all they were using on their site. In any case, I did let them have a piece of my mind and basically saying that anything that is that wide open should not even be released as an alpha version, much less beta.

I went over my data logs and was able to easily obain the hacker's ip address as well as all activity on the site. Their host., ISP and the FBI will be contacted this week about this intrusion.

I urge everyone who is using SImple PHP Blog to remove it from your server and use a more secure blog, such as Serendipity.."".

Not included in the McAfee write up of their version of c99shell.txt is some basic default information (from c99shell.php v.1.0 pre-release build #16);

xxxxx

$nixpwdperpage = 100; // Get first N lines from /etc/passwd

xxxxx

$bindport_pass = "c99";      // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe

xxxxx

   all suid files", "find / -type f -perm -04000 -ls
   suid files in current dir", "find . -type f -perm -04000 -ls
   all sgid files", "find / -type f -perm -02000 -ls
   sgid files in current dir", "find . -type f -perm -02000 -ls
   config.inc.php files", "find / -type f -name config.inc.php
   config* files", "find / -type f -name \"config*\"
   config* files in current dir", "find . -type f -name \"config*\"
   all writable folders and files", "find / -perm -2 -ls"),
   all writable folders and files in current dir", "find . -perm -2 -ls
   all service.pwd files", "find / -type f -name service.pwd
   service.pwd files in current dir", "find . -type f -name service.pwd
   all .htpasswd files", "find / -type f -name .htpasswd
   .htpasswd files in current dir", "find . -type f -name .htpasswd
   all .bash_history files", "find / -type f -name .bash_history
   .bash_history files in current dir", "find . -type f -name .bash_history
   all .fetchmailrc files", "find / -type f -name .fetchmailrc
   .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc
   list file attributes on a Linux second extended file system", "lsattr -va
   show opened ports", "netstat -an | grep -i listen

xxxxx

Attention! SQL-Manager is <u>NOT</u> ready module! Don't reports bugs.

xxxxx

echo "<b>Ftp Quick brute:</b><br>";
 if (!win) {echo "This functions not work in Windows!<br><br>";}

xxxxx

Simple PHP Blog vulnerability and patch link for Secunia.

Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!