darklord1

Well-Known Member
Jul 8, 2006
58
0
156
cPanel Access Level
Root Administrator
I know this has been out for quite a while, curious if anyone knows of a working patch to kill this exploit.

it has a lot of functions and not sure how it works, I will be continuing to work on it to see if I cant patch it manually.
 

oulzac

Well-Known Member
Aug 7, 2005
131
0
166
as far as I know, mod_sec will not do anything for a php shell script.

the best way to stop a php shell script is to turn off in php.ini - shell_exec, passthru and system and DL.
 

ilihost

Member
Jul 28, 2007
10
0
51
cPanel Access Level
Root Administrator
I have looked into the script and then disabled functions shell_exec,exec,system,passthru,popen.

Also, very important, you have to enable php open_basedir protection.

With these changes, script only should be used to upload files.

Delete all c99shell in your /home/* dir:

Use grep -r -H -c --files-with-matches "c99shell" *
to find them. It will find many (not encoded versions) occurrences. Delete them.

Set allow_url_fopen to Off in PHP Configuration Editor Advanced. That's the principal way how the worm is uploaded to the server.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter

S-Combs

Well-Known Member
Jun 10, 2004
78
0
156
as infopro mentioned above, rootkits.conf from gotroot is highly recommended to help prevent these shells


In addition to rootkits I also run these from gotroot

jitp.conf
recons.conf
useragents.conf
proxy.conf


This can prevent some dangerous things these shells do
Code:
SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
If you have Joomla sites on the box, this one will prevent many remote shell and deface script includes
Code:
SecFilter "mosConfig_"