C99shell exploit

darklord1 · Aug 28, 2006

I know this has been out for quite a while, curious if anyone knows of a working patch to kill this exploit.

it has a lot of functions and not sure how it works, I will be continuing to work on it to see if I cant patch it manually.

Bulent Tekcan · Aug 29, 2006

Use a mod security rules from http://www.gotroot.com/

Cheers

oulzac · Aug 29, 2006

as far as I know, mod_sec will not do anything for a php shell script.

the best way to stop a php shell script is to turn off in php.ini - shell_exec, passthru and system and DL.

ilihost · Sep 16, 2007

I have looked into the script and then disabled functions shell_exec,exec,system,passthru,popen.

Also, very important, you have to enable php open_basedir protection.

With these changes, script only should be used to upload files.

Delete all c99shell in your /home/* dir:

Use grep -r -H -c --files-with-matches "c99shell" *
to find them. It will find many (not encoded versions) occurrences. Delete them.

Set allow_url_fopen to Off in PHP Configuration Editor Advanced. That's the principal way how the worm is uploaded to the server.

Infopro · Sep 16, 2007

Bulent Tekcan said:
Use a mod security rules from http://www.gotroot.com/

Cheers

Yep. rootkits.conf can help block this type of thing to some extent. One such example:

SecFilterSelective REQUEST_URI "/c99shell\.txt"
SecFilterSelective REQUEST_URI "/c99\.txt\?"

http://www.gotroot.com/downloads/ftp/modsecurity/rootkits.conf

http://www.gotroot.com

S-Combs · Sep 16, 2007

as infopro mentioned above, rootkits.conf from gotroot is highly recommended to help prevent these shells

In addition to rootkits I also run these from gotroot

jitp.conf
recons.conf
useragents.conf
proxy.conf

This can prevent some dangerous things these shells do

Code:

SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

If you have Joomla sites on the box, this one will prevent many remote shell and deface script includes

Code:

SecFilter "mosConfig_"

Thread starter	Similar threads	Forum	Replies	Date
A	Run ConfigServer eXploit Scanner CXS inside CloudLinux LVE	Security	3	Apr 27, 2020
D	apache user submitting file /tmp (exploit)	Security	13	Feb 12, 2020
R	Looking for an exploited site	Security	2	Mar 26, 2019
A	c99shell - /etc/passwd	Security	5	Apr 29, 2013
D	mod_security && c99shell anyone help please ?	Security	6	Jun 5, 2007

Search

Search

C99shell exploit

darklord1

Well-Known Member

Bulent Tekcan

Well-Known Member

oulzac

Well-Known Member

ilihost

Member

Infopro

Well-Known Member

S-Combs

Well-Known Member