Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

Zoned Out strip #4!

Beyond Security family wishes you all a happy thanksgiving.

Click on the image for full size.

(Check out our new site: www.securitoons.com ! )

Zoned Out strip #3!

News link: http://games.slashdot.org/games/07/10/15/1817206.shtml

Click on the image for full size.

Zoned Out strip #2!

We hope you all had a happy and protected Halloween.

Click on the image for full size.

Null Term. strip #5

Click on the image for full size.

Insecurity, strip #10 of this new comics.

Click on the image for full size.

Earlier this year, Beyond Security’s beSIRT released an incident response forensic analysis of a defacement attack by Team Evil [Team Evil Incident (Cyber-terrorism defacement analysis and response)].

The PDF itself can be found here:

http://www.beyondsecurity.com/besirt/advisories/team-evil-incident.pdf

A follow up is being released today, on a second incident. Following what Team Evil did, their methodology and how it changed since the first document was released.

The aim of this document is more to show how such analysis is done, on an educational note. The PDF can be found here:

http://www.beyondsecurity.com/besirt/advisories/teamevil-incident2.pdf

We hope you find this useful.

Kfir.

Ahoy,
Can you tell who wrote this poem?

“Oracle
Everybody follows
Speedy bits exchange
Stars await to glow”

You’re right!
Oracle JDBC Client programmers.

I was sniffing my network and encountered this poem in the RAW bytes of one of Oracle’s JDBC logon packets.

The RAW bytes of the packet (Data is in Hex; on the right ASCII translation):

22 4f 72 “Or
61 63 6c 65 0a 45 76 65 72 79 62 6f 64 79 20 66 acle.Everybody f
6f 6c 6c 6f 77 73 0a 53 70 65 65 64 79 20 62 69 ollows.Speedy bi
74 73 20 65 78 63 68 61 6e 67 65 0a 53 74 61 72 ts exchange.Star
73 20 61 77 61 69 74 20 74 6f 20 67 6c 40 6f 77 s await to gl@ow
22 0a 54 68 65 20 70 72 65 63 65 64 69 6e 67 20 “.The preceding
6b 65 79 20 69 73 20 63 6f 70 79 72 69 67 68 74 key is copyright
65 64 20 62 79 20 4f 72 61 63 6c 65 20 43 6f 72 ed by Oracle Cor
70 6f 72 61 74 69 6f 6e 2e 0a 44 75 70 6c 40 69 poration..Dupl@i
63 61 74 69 6f 6e 20 6f 66 20 74 68 69 73 20 6b cation of this k
65 79 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 ey is not allowe
64 20 77 69 74 68 6f 75 74 20 70 65 72 6d 69 73 d without permis
73 69 6f 6e 0a 66 72 6f 6d 20 4f 72 61 63 6c 31 sion.from Oracl1
65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 43 e Corporation. C
6f 70 79 72 69 67 68 74 20 32 30 30 33 20 4f 72 opyright 2003 Or
61 63 6c 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e acle Corporation

As you can see - the packet, belonging to our corporate world, had a Copyright mark, just after the poem.

“The preceding key is copyrighted by Oracle Corporation.
Duplication of this key is not allowed without permission
from Oracle Corporation. Copyright 2003 Oracle Corporation”

Well, what next?.. Harry Potter on P2P packets or maybe Copyrighted MD5s?

Live long and prosper,

Kfir Damari,
kfird@beyondsecurity.com.