Attempted file upload 2

[audiopro]

A visitor has attempted to inject the following code and a number of other files into my website, I have included part of it below. What were the visitor's intentions?

<?
//add php tags before usage
/*
******************************************************************************************************
*
*					c99shell.php v.1.0 beta (?? 21.05.2005)
*							Freeware license.
*								© CCTeaM.
*  c99shell - ????-???????? ????? [URL unfurl="true"]www-???????,[/URL] "?????????" ??? ??????.
*  ?? ?????? ????????? ??????? ????????? ?????? ?? ???????? ????????? ????????:
   [URL unfurl="true"]http://ccteam.ru/releases/c99shell[/URL]
*
*  WEB: [URL unfurl="true"]http://ccteam.ru[/URL]
*  ICQ UIN #: 656555
* 
*  ???????????:
*  + ?????????? ?????????? ? ?????????? (ftp, samba *) ???????/???????, ??????????
*    ??????????? ?????????? ?????? ? ?????
*    (?????????????? ?????????????/??????????????? ????? tar *)
*    ??????????? ????? (???????? ?????? ??????)
*    modify-time ? access-time ? ?????? ?? ???????? ??? ?????????????? (????./???. ?????????? $filestealth)
*  + ??????????? SQL-???????? ?? ?????????? phpmyadmin,
     ????????/????????/?????????????? ??/??????, ???????? ?????? ????? ????? ? mysql
*  + ?????????? ?????????? unix-??????.
*  + ??????

Keith

http://www.studiosoft.co.uk

 

[ChrisHirst]

I take it that this is a 'cPanel' server then

Getting 'shell' access as the site 'owner' to enable them to run perl scripts that can extract the cPanel usernames and the email addresses amongst other things.

All this is enabled by a well known and long standing (first publicly reported 2007) cPanel flaw in the 'Legacy File Manager' that cPanel either can't, or won't fix.

You can't actually disable LFM to prevent the remote attacks, and applying ALL the WHM/cPanel "security" has no effect on these attacks, but do make it a bit more difficult for legitimate users.

We have three cPanel servers and see this all the time on them but it never happens on the Webmin or Plesk servers.

If it is a VM and you have shell access, load up ClamAV and Maldetect, then have that on a crontab to run every fifteen minutes during the time slots these attacks happen and every thirty minutes at other times.

You only need to scan the /home/*/public_html/ directories not the entire server.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[audiopro]

Thanks Chris, I know who uploaded the files but I was just wondering what they were trying to do.
The files were uploaded via a perl script which I use to demonstrate a function.
All uploaded files are 'altered' so that the original version is never stored on the server. I was alerted to the fact that someone was trying to run .php scripts in the error log as any attempt to run an uploaded script on there will always result in an error.
I hope my explanation makes sense.

Keith

http://www.studiosoft.co.uk

 

[jpadie]

From memory this file provides a mechanism for unscrupulous users to execute bash commands. And a bunch of other naughty stuff.

Always a good idea to consider permissions carefully on upload directories.

 

[audiopro]

Thanks jpadie

Keith

http://www.studiosoft.co.uk