Protect Against Shell Script Hacks
Written by Brian on January 12, 2008 – 11:18 pm -While browsing through Technorati, I just stumbled on a post about a shell script attack. It seems the poor chap got a shell script uploaded to his server, and the attacker used it to create a bunch of bogus files full of hyperlinks.
The original post has some header information about this particular hack (a modified c100 shell), as well as a link to some search results about the file. I looked through the source code for the shell script and tested it out on my local server – getting some link-filled files is the least that this script could do.
Once the script is loaded on your server, anyone can access it remotely and have full access to your system.
The script allows you to navigate through the server’s directories like any remote file-manager. I noticed that it could even go up out of the web server root and into my local folders as well.
The script gathers up all the details on your computer – like operating system build, running processes, ip address, etc. The user can run shell commands, create files, upload files, and do other kinds of nasty things.
It would be pretty easy for someone to use this to find the mysql username/password, hack your database, do whatever they want, and pretty wreck your entire site. Or worse, they could use this to do some nasty things to the server itself – potentially wrecking other peoples’ sites.
So how do you protect against this? Well, I’m not sure what you would do to protect against the shell script once it’s loaded up. It looks like it’s built to bypass most security precautions and give the hacker access to whatever he or she wants.
Your best bet is to be vigilant in restricting front-end uploads to your site. If you’ve got an upload script, be sure you restrict what file extensions can be uploaded.
This script needs to be named with a file extension that is read as php – so you should never allow users to upload php files (or html if you set up your server to execute those as php).
Being more restrictive is better than less restrictive – so ban all file extensions except the ones you know are safe. So, for example, you might allow “.jpg, .gif, .png” for pictures, and “.doc, .odt, .pdf, .txt, .rtf” for documents.
If you’ve got any other suggestions for security against this sort of thing, please comment away. Otherwise, take a look at the script so that you are aware of what it can do.
Posted in Nerds at Work, Web Design | 3 Comments »
Tags: Security
Find that post enjoyable or informative? Why don't you subscribe to the feed for Nerds at Work. Or, subscribe to the site-wide feed and catch up on all my antics.
yep, you are right. the tool/script is very powerful and worked on many servers.
i thought about the disallowing of uploading php-files, but i have decided to just not allow to php files to be executed in the upload directory and any other directories php files should not run. hope this helps
Dear Brian i really found what you wrote the closest to what i am looking for but here is the issue, i found some shell scripts that masked as gif and jpeg files and they are in fact a php shell script, here an example for the format i cought
xxxxx.php.gif something in that format the site will see as a picture file but its in fact a script what can i do about it
@Amr,
Unless your server has some strange settings, that shouldn’t pose a problem. The server won’t execute a file with a .gif extension, even if it has .php in there somewhere. It’ll attempt to load it like a picture. Since the file format won’t be valid, it won’t actually display anything (except maybe a broken image icon).
If you wanted to stop an upload script from the allowing the file (since it would be dangerous if the infiltrator could rename the script somehow once it had been uploaded), you’d need to edit the upload script’s validation code. It probably checks for the last three characters in the filename and assumes that is the file extension.
Instead, you could change this to a regex check for anything that includes “.php.” You could also explode the filename on “.” and check each part to see if it is equal to “php.” In the example you provided, the explosion would result in “xxxxx,” “php,” and “gif.” It’d be easy for your script to tell that there’s a .php extension in there somewhere.