The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

C99shell exploit

Discussion in 'General Discussion' started by darklord1, Aug 28, 2006.

  1. darklord1

    darklord1 Well-Known Member

    Joined:
    Jul 8, 2006
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I know this has been out for quite a while, curious if anyone knows of a working patch to kill this exploit.

    it has a lot of functions and not sure how it works, I will be continuing to work on it to see if I cant patch it manually.
     
  2. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
  3. oulzac

    oulzac Well-Known Member

    Joined:
    Aug 7, 2005
    Messages:
    131
    Likes Received:
    0
    Trophy Points:
    16
    as far as I know, mod_sec will not do anything for a php shell script.

    the best way to stop a php shell script is to turn off in php.ini - shell_exec, passthru and system and DL.
     
  4. ilihost

    ilihost Member

    Joined:
    Jul 28, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have looked into the script and then disabled functions shell_exec,exec,system,passthru,popen.

    Also, very important, you have to enable php open_basedir protection.

    With these changes, script only should be used to upload files.

    Delete all c99shell in your /home/* dir:

    Use grep -r -H -c --files-with-matches "c99shell" *
    to find them. It will find many (not encoded versions) occurrences. Delete them.

    Set allow_url_fopen to Off in PHP Configuration Editor Advanced. That's the principal way how the worm is uploaded to the server.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. S-Combs

    S-Combs Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    as infopro mentioned above, rootkits.conf from gotroot is highly recommended to help prevent these shells


    In addition to rootkits I also run these from gotroot

    jitp.conf
    recons.conf
    useragents.conf
    proxy.conf


    This can prevent some dangerous things these shells do
    Code:
    SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
    If you have Joomla sites on the box, this one will prevent many remote shell and deface script includes
    Code:
    SecFilter "mosConfig_"
     

Share This Page