Over the past several weeks we in SNS have been seeing an increase in
the number of attacks against PHP. These attacks have been
attempting to exploit various PHP functions that cause PHP to
download code from a remote site and run it such as allow_url_fopen
and allow_url_include. While these calls can be used safely, they are
frequently not used with adequate protections and have been the
source of security issues in many commonly used PHP scripts. While
these attacks are primarily used against UNIX based systems, Windows
systems are not immune, provided they are using PHP.
One of the biggest problems we have seen come out of these attacks is
the proliferation of web backdoors which can be accessed from any
host with a web browser. These backdoors allow attackers to open
shells, run commands, upload/download files and attack other systems,
all with the click of a mouse. The two most common backdoors around
appear to be the c99shell and the r57shell. While we have IDS rules
to detect these backdoors when they are in use across the network,
there is no way that we, SNS, can reliably detect if one has been
placed on a system and is being left for use at a later time. With
that in mind, we urge System and Web Administrators to search their
web directory structures for the following strings using grep or
fgrep:
The r57Shell:
r57shell
RST/GHC
rst.void.ru
ghc.ru
The C99Shell:
c99shell
CCTeaM
ccteam.ru
tristram
While this list is not guaranteed to find these shells, they are
based upon the publically disclosed source code for these backdoors
and should find any file that has not been customized too much (which
is what we have seen most of the time so far).
Additionally, grepping for allow_url_fopen and allow_url_include you
to identify applications that may or may be vulnerable to these
attacks (though keep in mind there are other avenues of attack). If,
after reviewing your system you are able to determine that you do not
need these functions than you should look to disable them in the
php.ini file. (More information on disabling them can be found at
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html and
http://phpsec.org/projects/phpsecinfo/tests/allow_url_include.html).
Yours,
John Ives
-- ------------------------------------------------------------------------- John Ives Phone (510) 642-7773 System & Network Security Cell (510) 229-8676 University of California, Berkeley ------------------------------------------------------------------------- ------------------------------------- Sent via the ucb-security mailing list. ------------------------------------------------------------------------ The following was automatically added to this message by the list server: To learn more about MAGNet, including how to subscribe to or unsubscribe from its mailing list, please visit the MAGNet Web site: http://magnet.berkeley.edu/ Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.Received on Wed Sep 05 2007 - 11:38:11 PDT
This archive was generated by hypermail 2.2.0 : Wed Sep 05 2007 - 11:38:11 PDT