Well guys, there is a new hack in town (well, kind of new.) It's called c99madshell.php. It's so bad, that we had to do a bare-metal restore to on of our boxes today. Needless to say, this is the worst hack I've ever come across. This is not a repost - Not a chain email. This is for real. It cost me a lot of time and money, and hopefully this post will save you exactly that.


The Hack
1) They use a forum or blog installation that allows members to upload attachments, to upload their script
2) They access the script via a web browser and have full access to your server.
3) They are now able to kill processes, delete/create files, murder your databases and best of all, open a port on your server to another server (no way to find out the location) which will control your server to send out spam viruses.


The Risks (Somewhat Shocking)
I caught this script while still on the infected box and played around with it a bit. Some of the (freaky) capabilities include full control of the machine!
- Ability to see, edit or delete any file in the hacked user's account
- If the user has unjailed shell access, ability to see, edit or delete any file in the server
- Ability to completely obliterate or damage any database within the hacked user
- Ability to run Brute Force attacks against any other server
- A self-destruct function that would destroy the script itself (not suspicious at all, right?)


Details About The Hack
http://www.derekfountain.org/security_c99madshell.php (has great screenshots)


The Solutions
Prevention:
- Simply edit these lines in your php.ini file
Source: http://www.devside.net/blog/smf-exploit-like-phpbb-hack
- Make sure your users don't allow .php files to be upload through their forums and blog software in the first place!

Detection (in SSH as a super-user):

delete any files the above comes up with. Keep in mind this will only help if the hacker was dumb enough to keep the file as the default name - Our hacker did that exactly, so we were lucky.


The Script Itself:



Special Thanks/Credit
Johnny Flores from The Planet support hung in there for nearly two hours while we worked together (mostly his work) to find out what was going on and reach a fix. I've had the pleasure of dealing with him twice and have determined he is a great technician: 10/10!


Fake? What are you - Ignorant..?
Some people have Private Messaged me thinking this is a farce. If you agree, you are not a responsible sysadmin and will believe me when you are hacked with this brilliant/nasty script.


About Me (I totally earned this shameless plug)
My name is Mark Mutti. I am the proud owner of 5 year old PhireFast.com. PhireFast has leased servers from The Planet for about three years, currently leasing Quad Core cPanel servers with Hourly Offsite Backups. PhireFast boasts 100% server uptime as guaranteed in our SLA. We were able to handle this potentially catastrophic situation to the point where none of our clients were affected. With that said, if you're looking for a web host that'll put a smile on your face and make you feel all tingly inside, check out PhireFast.com!



Happy hosting! I suggest mod'ing your php.ini file now, before they get you too.

Trackback URL's: Google Search
Meta Tags: hack,c99madshell,webshell,script

You MUST be new to web hosting. That is a simple PHP shell. There are literally hundreds of different shells out there. If you don't already know what webshells are, you probably shouldn't be doing web hosting.
It took you hours to get that fixed? That is really sad. It should be a 15 minute fix at most.

Nice one. I'd been running into this problem with our own servers over the last couple of weeks. Your post helped me clean up the mess. Took me a while to figure out how the heck they were still 'getting in' after patching everything.

Google around for the infected files symptomatic of this attack; there's a ton of websites currently hacked with c99madshell. The more people that become aware of this issue, the better.

As an addendum to my last post, here's an example of the content injection we were seeing on our index pages:

<u style="display:none">
<strong><a href="{url removed}">free sex</a></strong>
<strong><a href="{url removed}">world sex</a></strong>
<strong><a href="{url removed}">sex story</a></strong>
<strong><a href="{url removed}">teen sex</a></strong>
...
</u>

I've been doing this for six years, Kenny, but it takes a lot longer to fix a problem when you can't log in to your own box. Oh and God forbid me for trying to help others with my experience!

Thanks for the 'feedback!'



I hope google indexes this one, as it might help some more people out there. Happy Hosting my friend!

Yeah dude.. People have been trying to do that to me for as long as I can remember. It's nothing new, I've saved all the shell scripts I've come across and I use them to test things out security so they can't..

Either way, this is really nothing new, welcome to the club

Thanks for the welcome?

I wouldn't really call c99madshell a "hack" persay. A more correct phrase would be a backdoor, but the masses seem to be calling it a php shell, eh, so be it...

The php shell uses several different functions that many webmaster should not allow in the first place, such as exec(), and system().

If anyone takes just one thing from this post, I hope it is:


In any case, nice post Mark.

Am I blind, or did the forum delete an i? parse_ini_file

All fixed. Thanks for pointing it out.

Thanks for the info Mark! However, in Ensim system, there's 2 php.ini:

/etc/php.ini
/home/virtual/domain.com/etc/php.ini

Do we need to edit both?

Only one of them is actually used.

Create a php page with the following code:


It will say in there which php.ini file is being used - That's the one you want to mod.

With Ensim, if your sites are in high security (which they should be) then the file is /home/virtual/domain.com/etc/php.ini - also Ensim in high security mode 99.99% ensures that such a shell script will be limited to that particular hosting account and so not gain access to the rest of the server anyway.

If you're running in anything other than High security mode then the /etc/php.ini file globally controls PHP for all sites in this mode.

always compare the two files to see what is different. some cases you will need to edit both, others you won't.

That's not correct sorry - the /etc/php.ini file is for the server level PHP installation (non high security sites) and the /home/virtual/domain.com/etc/php.ini file is specifically for high security mode sites. Either one or the other is used - you never need to alter both files if you're not changing the security mode of the site.

Hi all,

Just curious if those shell scripts could do any damage to the server itself if you run suPHP?

Cheers

More good information at:
<http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml>

Regards,
Netino

LOL... damn that was harsh... but true nonetheless.

Unfortunately, after my server was compromised, I did a fsck that pointed fail in / filesystem. Correcting that problem in /, my system was turned unusable. Was needed a complete os re-image (restore) of the system, and restore sites from backup.