[SOLVED] Help from C99 shell Attack

[MadTechie]

create .htaccess on the root, and put

<Directory "public_html/site.com/uploadfolder">
php_admin_flag engine off
</Directory> 

in it, replacing uploadfolder with the upload folder

 

 

As a note Just ran some test's on

folder permission set to 750

LAMP - CENTOS 5.3 / PHP 5.2.8 /Apache-2.0.63 - exploit failed

WAMP - (wampserver) (WinXP / Apache-2.2.8 / PHP 5.2.6)  (permission don't apply) - exploited  (no surprise here)

WAMP - (WinXP / Apache-2.2.11 / PHP Version 5.2.9)  exploit failed

 

I don't have IIS so can't test that

[pdent1]

well now i have the php_admin_flag off on all uploaded folders, if a file is uploaded with .php in the filename instead of replacing the .php string, it just deni's the whole file, plus the mime so maybe I can make them work harder for what they want next time

[PFMaBiSmAd]

We have a question - what operating system, web server and version, and php version was exploited?

[pdent1]

# Apache HTTP Server: 2.2.6

# MySQL Database: 5.0.45

# PHP Processor: 5.2.4

 

I was banned from the server for "hacking" so I don't know if it actually WORKED for him nothing was changed in my database or my pages. But when i re-uploaded my files to my new servers I ran it on myself and I got access.

[MadTechie]

well now i have the php_admin_flag off on all uploaded folders, if a file is uploaded with .php in the filename instead of replacing the .php string, it just deni's the whole file, plus the mime so maybe I can make them work harder for what they want next time

add a normal php file to that folder to test it (keep the .php on),

<?php
phpinfo();
?>

[TeNDoLLA]

Worth to mention is also that you should never trust MIME type checks because the mime type can be spoofed. Meaning that you can upload a .php file with a mime type 'image/jpeg' for example. Best bet would be probably to rely on file extension check.

[MadTechie]

It takes more to spoof mime then change an extension, and what about the poor Macintosh users ?

 

IMHO: mime is better than extensions

but I normally opt for 1 check mime, if that fails check extension,

then I add *some code to verify it is what it is, and then

put the renamed files in a safe zone should kill of most attacks

 

*this can take up a lot of resource, but can probably be skipped if the other measures are followed

[Daniel0]

MIME type checks are fine, but you should figure out the MIME type yourself and not rely on the MIME type you're given by the client.

 

http://php.net/fileinfo

[knsito]

I thought I would try this out, but unfortunately my php ver is < 5.3.0 so I get

Call to undefined function finfo_open()

 

mime_content_type() seems unreliable, (getting text/plain for png and zip files...)

 

Is there an alternative?

 

MIME type checks are fine, but you should figure out the MIME type yourself and not rely on the MIME type you're given by the client.

 

http://php.net/fileinfo

[Daniel0]

You can load the pecl extension.