IMPORTANT More UpLoad hacks

>The uploaded file has a php, php3 or php4 extension and looks
>like a gif to the mime magic.
>So apache usually accepts it.
>
>To fix this issue at first move the lib/plugin/UpLoad.php file
>out of this directory.
>
>You can fix it by adding those two lines to your list of
>disallowed extensions:
>
>php3
>php4
>
>Currently only php is disallowed.

> 2007/4/12, Sabri LABBENE <sabri.labbene@...>:
>> Reini Urban wrote:
>> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a
>> >php3 or php4 file,
>> >install a backdoor at port 8081 and have access to your whole
>> >disc and overtake the server.
>> >
>> >See http://ccteam.ru/releases/c99shell
>>
>> I think that the URL is wrong.
>
> This url obviously worked in 2006. Now it is gone.
>
> I submitted a critical security alert to CERT and it will be in the
> cve reports of mitre.org
> also then (hopefully).
> --
> Reini Urban
> http://phpwiki.org/              http://murbreak.at/
> http://spacemovie.mur.at/   http://helsinki.at/
>

> > 2007/4/12, Sabri LABBENE <sabri.labbene@...>:
> >> Reini Urban wrote:
> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload a
> >> >php3 or php4 file,
> >> >install a backdoor at port 8081 and have access to your whole
> >> >disc and overtake the server.
> >> >
> >> >See http://ccteam.ru/releases/c99shell
> >>
> >> I think that the URL is wrong.
> >
> > This url obviously worked in 2006. Now it is gone.
> >
> > I submitted a critical security alert to CERT and it will be in the
> > cve reports of mitre.org
> > also then (hopefully).
>
> As the one who was attacked, I can give you the IP addresses of the
> attackers. Second, instead of disallowed extensions, I think it would be
> much safet to have a list of ALLOWED extensions. I see this as a todo in
> the upload plugin.

> 2007/4/12, Harold Hallikainen <harold@...>:
>> > 2007/4/12, Sabri LABBENE <sabri.labbene@...>:
>> >> Reini Urban wrote:
>> >> >Via the Phpwiki 1.3.x UpLoad feature some hackers from russia upload
>> a
>> >> >php3 or php4 file,
>> >> >install a backdoor at port 8081 and have access to your whole
>> >> >disc and overtake the server.
>> >> >
>> >> >See http://ccteam.ru/releases/c99shell
>> >>
>> >> I think that the URL is wrong.
>> >
>> > This url obviously worked in 2006. Now it is gone.
>> >
>> > I submitted a critical security alert to CERT and it will be in the
>> > cve reports of mitre.org
>> > also then (hopefully).
>>
>> As the one who was attacked, I can give you the IP addresses of the
>> attackers. Second, instead of disallowed extensions, I think it would be
>> much safet to have a list of ALLOWED extensions. I see this as a todo in
>> the upload plugin.
>
> Hm, I will think about it. Other opinions?
>
>> I have set my upload directory as read only and require users to now
>> email
>> me stuff to post.
>>
>> As to how much was visible to the hackers (and I have the code for their
>> script), it SEEMS that it would only be what user apache could see,
>> which
>> would be stuff it owns and stuff that is world readable. Is that
>> correct?
>
> Well not really. The c99shell script tries in various ways to get more
> access.
> At first it compiles and installs a backdoor at port 8081 and then
> with shell access it's normally quite easy for an experienced hacker
> to get root.
>
> --
> Reini Urban