Sub Menu
Links Menu
Online Users

In total there are 302 users online :: 2 registered, 0 hidden and 300 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot] based on users active over the past 60 minutes

possible security issue

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

possible security issue

PostAuthor: Ebony » Wed Nov 29, 2006 9:40 am

hey guys... I tried to send this as a pm to the DEV team cos I didn't want to create a mass panic. But it won't let me, so me post and chances are it is already covered.

But has anyone heard of ... or is aware of an exploit called C99 and is integrmod protected against it.

basically what a person... (nasty little buggers should be squished like bugs[flash=,:1ju13gos]http://img105.imageshack.us/img105/6614/mad1iw8.gif[/flash:1ju13gos]) is uploads a shell exploit file via upload on your websites.. like if you have image upload available in galleries or avatar uploading... the shell file is disguised as a jpg.
like this using the browse feature

C:c99.php%00.jpg

It is a null byte string terminator so by entering the null byte they can upload this file to your server which then gives them total and complete access to your server, even above public HTML which means they can delete server files and just basically destroy your whole site. Lots of sites have been hit by this and you wouldn't even know the file was on the server unless you looked for it.. the file is called c99.php and would be in the upload file.

I heard about it through a friend who told me to get the word out to all my friends to look for the file.

the worse thing is it took me ten mins to find the actual shell execute file as well

if the Dev's want the actual file that is being uploaded into people websites then can you guys pm me or something.[flash=,:1ju13gos]http://img124.imageshack.us/img124/7944/emotions4pj5.gif[/flash:1ju13gos]
Last edited by Ebony on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://img69.imageshack.us/img69/4112/dearlybeloved2qn.gif[/img][/url]
User avatar
Ebony
Members
Members
 
Posts: 65
Likes: 0 post
Liked in: 0 post
Joined: Mon Apr 03, 2006 11:12 am
Cash on hand: 0.00

Re: possible security issue

PostAuthor: Helter » Wed Nov 29, 2006 2:36 pm

thx Ebony. I got your pm and forwarded it to Michaelo.
Last edited by Helter on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

Re: possible security issue

PostAuthor: jwernerny » Thu Nov 30, 2006 5:44 am

There are lots of ways c99 can be put into your file structure. The security fixes that went in at the end of August patched all of the then known holes in IntegraMod (or is it KisMod, or is it integrmod? <img> ). The other way it can get into your files is from another user explicitly moving it into a writable directory from another compromised account on the machine.

If you do a search on c99 in the forums and you can find other stuff about it.

- John
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: computerz » Fri Dec 01, 2006 11:43 am

This past summer, I was hit with just about every remote file include (RFI) attack there is. This c99 is just one of many. The most definitive way I've found to stop these kinds of attacks is to install mod_security and set up filters appropriately. (if you have a shared server, you won't have this ability)

I had a dedicated server, so it was easy. Also having a dedicated server allowed me to have shell access where I could search my entire server for malicious files, as well as close any IRC connections... etc.

And by the way, simply deleting the file does nothing if the attacker already has a port open on your box. You would have to catch them at or soon after the time they upload, else they can stick similar files above your root in sub directories you would have no clue to look in, and thus have a permanent back door to your system.

This is what was happening to me daily... until I learned how to outsmart the attackers and figure out what they were doing, and eventually prevent them from attacking me period.
Last edited by computerz on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

computerz
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Sun Aug 27, 2006 1:21 pm
Cash on hand: 0.00


Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot]

cron