Nabble – IMPORTANT More UpLoad hacks

por | 5 Mayo, 2007

Re: IMPORTANT More UpLoad hacks
Click to flag this post 3 stars [3 stars] [3 stars]

by Harold Hallikainen Apr 12, 2007; 12:31pm :: Rate this Message: – Use ratings to moderate (?)

Reply | Reply to Author | View Threaded | Show Only this Message

> 2007/4/12, Harold Hallikainen :
>> > 2007/4/12, Sabri LABBENE :
>> >> Reini Urban wrote:
>> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload
>> a
>> >> >php3 or php4 file,
>> >> >install a backdoor at port 8081 and have access to your whole
>> >> >disc and overtake the server.
>> >> >
>> >> >See http://ccteam.ru/releases/c99shell
>> >>
>> >> I think that the URL is wrong.
>> >
>> > This url obviously worked in 2006. Now it is gone.
>> >
>> > I submitted a critical security alert to CERT and it will be in the
>> > cve reports of mitre.org
>> > also then (hopefully).
>>
>> As the one who was attacked, I can give you the IP addresses of the
>> attackers. Second, instead of disallowed extensions, I think it would be
>> much safet to have a list of ALLOWED extensions. I see this as a todo in
>> the upload plugin.
>
> Hm, I will think about it. Other opinions?
>
>> I have set my upload directory as read only and require users to now
>> email
>> me stuff to post.
>>
>> As to how much was visible to the hackers (and I have the code for their
>> script), it SEEMS that it would only be what user apache could see,
>> which
>> would be stuff it owns and stuff that is world readable. Is that
>> correct?
>
> Well not really. The c99shell script tries in various ways to get more
> access.
> At first it compiles and installs a backdoor at port 8081 and then
> with shell access it’s normally quite easy for an experienced hacker
> to get root.
>
> —
> Reini Urban

THANKS for the support on this issue! I did an updatedb, then did locate
c99. The only stuff that comes up is this:

/usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp
/usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp
/usr/share/man/man1p/c99.1p.gz
/usr/bin/c99

In addition, port 8081 is blocked at the router (for incoming requests).
So, I’m hoping I’m ok!

Nabble – IMPORTANT More UpLoad hacks.