IntegraMOD

hey guys... I tried to send this as a pm to the DEV team cos I didn't want to create a mass panic. But it won't let me, so me post and chances are it is already covered.

But has anyone heard of ... or is aware of an exploit called C99 and is integrmod protected against it.

basically what a person... (nasty little buggers should be squished like bugs[flash=,:1ju13gos]http://img105.imageshack.us/img105/6614/mad1iw8.gif[/flash:1ju13gos]) is uploads a shell exploit file via upload on your websites.. like if you have image upload available in galleries or avatar uploading... the shell file is disguised as a jpg.
like this using the browse feature

C:c99.php%00.jpg

It is a null byte string terminator so by entering the null byte they can upload this file to your server which then gives them total and complete access to your server, even above public HTML which means they can delete server files and just basically destroy your whole site. Lots of sites have been hit by this and you wouldn't even know the file was on the server unless you looked for it.. the file is called c99.php and would be in the upload file.

I heard about it through a friend who told me to get the word out to all my friends to look for the file.

the worse thing is it took me ten mins to find the actual shell execute file as well

if the Dev's want the actual file that is being uploaded into people websites then can you guys pm me or something.[flash=,:1ju13gos]http://img124.imageshack.us/img124/7944/emotions4pj5.gif[/flash:1ju13gos]

thx Ebony. I got your pm and forwarded it to Michaelo.

There are lots of ways c99 can be put into your file structure. The security fixes that went in at the end of August patched all of the then known holes in IntegraMod (or is it KisMod, or is it integrmod? <img> ). The other way it can get into your files is from another user explicitly moving it into a writable directory from another compromised account on the machine.

If you do a search on c99 in the forums and you can find other stuff about it.

- John

This past summer, I was hit with just about every remote file include (RFI) attack there is. This c99 is just one of many. The most definitive way I've found to stop these kinds of attacks is to install mod_security and set up filters appropriately. (if you have a shared server, you won't have this ability)

I had a dedicated server, so it was easy. Also having a dedicated server allowed me to have shell access where I could search my entire server for malicious files, as well as close any IRC connections... etc.

And by the way, simply deleting the file does nothing if the attacker already has a port open on your box. You would have to catch them at or soon after the time they upload, else they can stick similar files above your root in sub directories you would have no clue to look in, and thus have a permanent back door to your system.

This is what was happening to me daily... until I learned how to outsmart the attackers and figure out what they were doing, and eventually prevent them from attacking me period.