Over the past several weeks we in SNS have been seeing an increase in
the number of attacks against PHP. These attacks have been attempting
to exploit various PHP functions that cause PHP to download code from a
remote site and run it such as allow_url_fopen and allow_url_include.
While these calls can be used safely, they are frequently not used with
adequate protections and have been the source of security issues in many
commonly used PHP scripts. While these attacks are primarily used
against UNIX based systems, Windows systems are not immune, provided
they are using PHP.
One of the biggest problems we have seen come out of these attacks is
the proliferation of web backdoors which can be accessed from any host
with a web browser. These backdoors allow attackers to open shells, run
commands, upload/download files and attack other systems, all with the
click of a mouse. The two most common backdoors around appear to be the
c99shell and the r57shell. While we have IDS rules to detect these
backdoors when they are in use across the network, there is no way that
we, SNS, can reliably detect if one has been placed on a system and is
being left for use at a later time. With that in mind, we urge System
and Web Administrators to search their web directory structures for the
following strings using grep or fgrep:
The r57Shell:
r57shell
RST/GHC
rst.void.ru
ghc.ru
The C99Shell:
c99shell
CCTeaM
ccteam.ru
tristram
While this list is not guaranteed to find these shells, they are based
upon the publically disclosed source code for these backdoors and should
find any file that has not been customized too much (which is what we
have seen most of the time so far).
Additionally, grepping for allow_url_fopen and allow_url_include you to
identify applications that may or may be vulnerable to these attacks
(though keep in mind there are other avenues of attack). If, after
reviewing your system you are able to determine that you do not need
these functions than you should look to disable them in the php.ini
file. (More information on disabling them can be found at
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html and
http://phpsec.org/projects/phpsecinfo/tests/allow_url_include.html).
Yours,
John Ives
-- ------------------------------------------------------------------------- John Ives Phone (510) 642-7773 System & Network Security Cell (510) 229-8676 University of California, Berkeley ------------------------------------------------------------------------- ------------------------------------------------------------------------ The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu/ Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.Received on Tue Sep 04 2007 - 16:46:19 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 04 2007 - 16:46:27 PDT