Monday, July 21, 2008

c99MadShell tool on the loose

Quick! Pop "c99madshell" into Google.
You'll get a TON of results, odds are the first one you'll hit is this one: http://lectures.princeton.edu/?cat=17, so I'll give you a quick hint as to what you're looking at.
As people awake to find their web-servers hacked up, this little gem is repeatedly there and found to be running in place of the expected web pages... interesting! So you may ask - what exactly is c99madshell?

Apparently this gem is being used to hack into WordPress blogs and inject pages upon pages of SPAM which then becomes indexed or simply pointed to for mass-mail spam. Interesting!

Reading along, I found a post that a person wrote up which describes the attack in some detail, here. A great write-up - but still doesn't quite explain the vulnerability which lead to the injection of the trojan code. Digging a little deeper I found a post on Derek Fountain's blog which very nicely details the attack with some of the code behind c99MadShell analyzed. To quote Derek... "You have to remember as you read this that PHP is a full featured scripting language which provides access to files, sockets, databases and all other system level resources." Right on. So making use of this little gem requires 2 things: first, you have to be able to upload a file to where you can call it with a browser, second - your target has to have PHP installed and working. After that, you're relying on lax directory permissions, and common poor configuration to make things fun.

Derek's write-up gives a resounding "configure your servers correctly" echo... much like we've all heard forever now - but with a slight twist. Let's outline some things that can protect you from attack scripts like this taking over your box and making nasties run all over your system:
  1. Don't allow arbitrary file uploads (hello, McFly?)
  2. Run your web-server process as "nobody" or some other un-priviliged user
  3. Run PHP in SAFE MODE if using PHP version <6.0.0!
  4. Ensure proper file, directory permissions rwx?
There you have it, c99madshell is being used all over the place, and it's really not all that sophisticated of an attack (the script is pure genius though...). Simply upload file, point a browser to it, and pwn a box.

1 comment:

leekelleher said...

Thanks for the link to my blog post.

The security vulnerability was a hole in WordPress 2.2 (which I was still running at the time of the attack).

There is more information here:
http://trac.wordpress.org/ticket/4357#comment:5

Google+