Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Sy_Conf
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Sy_Conf

CoreyCorey Member
edited November 2012 in Providers

Look out for this file on your filesystem if you are running cpanel servers.... it's pretty nasty

Comments

  • Is it perl script? What does it do?

  • jarjar Patron Provider, Top Host, Veteran
  • jarjar Patron Provider, Top Host, Veteran

    Darn script kiddies. Thanks for the warning.

  • @Corey said: Look out for this file on your filesystem if you are running cpanel servers

    How does it get in?
    Normal, lazy didn't click "UPDATE NOW" on their web app?

  • jarjar Patron Provider, Top Host, Veteran
    edited November 2012

    Looking at some of this stuff, I need to spend some time on HF apparently. Some great tools I wouldn't mind running against my own stuff to catch any weak spots I may have overlooked. Always best to stay one step ahead of these people, and they make it so easy most of the time.

  • @bamn said: How does it get in?

    Normal, lazy didn't click "UPDATE NOW" on their web app?

    Any insecure places that they can upload this.....usually a script on a website on the server with a vulnerability.....

  • Is this a sym link hack? So if you disabled sym links on apache that should make the script in effective correct.

  • @jarland said: Looking at some of this stuff, I need to spend some time on HF apparently. Some great tools I wouldn't mind running against my own stuff to catch any weak spots I may have overlooked. Always best to stay one step ahead of these people, and they make it so easy most of the time.

    Good call.

    Here, many PHP disabled functions, fopen URL off, allow_url_include off, and a whole load of GotRoot & custom mod_security on this end.

    I try to keep up / download shells from recent failed XSS attempts in my Mod_Security audit log, then run them on a sandbox VPS against my own mod_sec rules to see what would have happened would it have been launched locally. Then I add more rules :)

  • joepie91joepie91 Member, Patron Provider

    @24khost said: Is this a sym link hack? So if you disabled sym links on apache that should make the script in effective correct

    No.

    As far as I can understand, the script will run through the userlist, and symlink all the known config files for each of those users. It then tars up the whole set of config files and presents this archive as a file.

    Disabling symlinks on Apache won't do a thing because:

    1. The script runs independently from Apache, so the archiving of the symlinked files is not hindered by the Apache config.
    2. The archive itself is an actual file and not a symlink, so it isn't blocked by Apache.
  • so this has to be uploaded and run as a shell script correct?

  • joepie91joepie91 Member, Patron Provider

    @24khost said: so this has to be uploaded and run as a shell script correct?

    Not as a 'shell script' per se - it's Perl after all. An exec() call in PHP, or basically any other way to get a Perl script to run, will do.

  • ahhh okay. So besides scanning the script and turning everything off is there anyway to block this script, other than mod_security.

  • PatrickPatrick Member
    edited November 2012

    Hello,

    Thank you for contacting MediaFire.
     
    We appreciate you reporting this file. After carefully review the content, the file is in > violation of our Terms of Service and was removed.
     
    We appreciate you bringing this to our attention.
     
    Sincerely,
    Charlie

    Regarding: http://www.mediafire.com/?r4kkj92ij77r1sf

  • jarjar Patron Provider, Top Host, Veteran

    Meh, I'll upload it if anyone wants it. If "they" have it, we might as well too.

  • @stormvz
    The script is still out there... you can't erase it from the internet.

  • Sign up on HF or even PacketStorm has some kiddie tools that show up on there.

  • I will upload id if anyone still want it

Sign In or Register to comment.