“php shell script on my server”

Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

Share
  • Woody Mon

    @Kfir: Your follow-up response to the original question regarding Zen Cart was pointless. You pointed to an almost four year old URL announcing a security issue which has been patched for almost as long. Please do the required research before posting? If you are going to post references to very old bugs, then do your readers a favor and post a reference to the patch. Better yet first ask the poster posing the original question which versions of “suspect” web applications they are running, before you come to and report such absurd conclusions. Your lack of due diligence does us all a disservice and reduces the credibility of securiteam.

  • http://www.kuroiwebdesign.com Kuroi

    I agree with Woody Mon. The past tense would be more more appropriate here. “There have been several vulnerabilities …” since the authors of both packages have worked to ensure that as new hacking techniques are evolved the scripts are updated to counter them.

    As the Zen Cart “vulnerability” dates back 4 years and was fixed long ago, and even among the phpbb list of 51 only one is from within the past 12 months and most are much older, perhaps a better approach to answering the question would have been to focus on the importance of upgrading regularly to protect the server by taking advantage of the work done in these packages to keep abreast of hacking techniques and developments in security.

  • Kfir

    Hi,

    Thank you both for the comments, my answer was brief, and maybe a bit too quick, but the point I was trying to pass was that even though both product have at least one issue, in most cases they aren’t the one used to hack sites.

    Specifically in the case of Zen Cart – the product appears to be “secure” only because no one probably spent too much time looking into it.

    While PHPBB is a very “sexy” product, very common, making a product to be listed with numerous vulnerabilities.

    Again, thank you both for the comments, I have forwarded them to the person that has asked us the question.

  • Joseph Pierini

    One thing you might want to investigate, in the absence of a known vulnerability, is if the PUT command is enabled on the server.

    Using cURL, it would take an attacker only a moment to determine if the server is improperly configured:

    curl -IXOPTIONS http://www.affectedwebsite.com

    Once a misconfiguration is discovered, cURL can be used to upload the files to affected directories:

    curl -T phpshellscript.php http://www.affectedwebsite.com

    For more information on cURL, check out http://curl.haxx.se/

    For more information on the PUT method, check out http://www.apacheweek.com/features/put

  • A Happy Zen Cart User

    “Specifically in the case of Zen Cart – the product appears to be “secure” only because no one probably spent too much time looking into it.”

    Very contentious and possibly damaging – perhaps deliberately so.

    I, and most other Zen Cart users, see hacking attempts roughly every day. I would argue that “no one probably spent too much time looking into it” is, therefore, inaccurate from the hackers’ perspective. In addition, we always see very fast responses from the Zen Cart team when anyone posts about hacking attempts on the Zen Cart forums so the statement is untruthful from the users’ perspective too.

  • Kfir

    Unlike what you say, or think, especially the intent wasn’t deliberate, I was only providing my thoughts, and facts at the same time.

    It wasn’t meant to make Zen Cart look bad, or his team that developed it bad.

    I apologize if it looked as if I was making Zen Cart look bad my intent was the opposite, simply to say that the person that has asked the question might want to look elsewhere for vulnerabilities, in his case phpbb, as Zen Cart has very little documented vulnerabilities.

  • http://www.webdigi.co.uk Jason

    I always have my a simple php script running on my website that send me and email with the MD5 hash value. I am sure that no PHP file will ever change on the server at all (although log files etc will change).

    In short if the MD5 ever changes you can be assured that you have a new php file or change to a php file that you did not upload.

  • http://www.filmizlermisin.com film izle

    , and most other Zen Cart users, see hacking attempts roughly every day. I would argue that “no one probably spent too much time looking into it” is, therefore, inaccurate from the hackers’

  • http://www.webgazeteler.com gazeteler

    Unlike what you say, or think, especially the intent wasn’t deliberate, I was only providing my thoughts, and facts at the same time.

    It wasn’t meant to make Zen Cart look bad, or his team that developed it bad.

    I apologize if it looked as if I was making Zen Cart look bad my intent was the opposite, simply to say that the person that has asked the question might want to look elsewhere for vulnerabilities, in his case phpbb, as Zen Cart has very little documented vulnerabilities

  • http://www.hikaye.biz hikaye

    “Specifically in the case of Zen Cart – the product appears to be “secure” only because no one probably spent too much time looking into it.”

    Very contentious and possibly damaging – perhaps deliberately so.

    I, and most other Zen Cart users, see hacking attempts roughly every day. I would argue that “no one probably spent too much time looking into it” is, therefore, inaccurate from the hackers’ perspective. In addition, we always see very fast responses from the Zen Cart team when anyone posts about hacking attempts on the Zen Cart forums so the statement is untruthful from the users’ perspective too.

  • http://www.teamads.com HTML Static Websites

    Great resource and list, will certainly be bookmarking this page.I’m glad everyone is finding this useful,Thank For Post….

  • http://www.rightwaysolution.com PHP web development

    very good Comment Woddy Mon n Kfir. Very useful article and the list provided is great. Thumb up for the post.

    Keep Posting more

    Rightway Solution

  • http://www.esux.net Zizzi

    I have written a tool that can be useful in location a php shell on your server such as C99 or GNY. The script is written in python and scans directories for files that might have the shell signatures in them. It’s worth a look, check it out:

    I’d post a full link but it trips a spam filter…
    esux.net/python_php_shell_virus_web_scan_detection

  • http://www.karakocannostalji.com karakocan

    Great resource and list, will certainly be bookmarking this page

  • http://www.mynike-shoes.com/Nike-Shox-R4.html wholesale Shox R4 Zoom shoes

    Great resource and list, will certainly be bookmarking this page.I’m glad everyone is finding this useful,Thank For Post….

  • http://rdllplayer.microbloghost.com/ Chinese boy

    Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming.

  • http://www.cher4life.com transfer factor

    thanks for your great post.

  • http://www.obdsvs.com/ launch x431,lexia3,mb star

    gjfgjkghhkk
    Yes,I think so