Hacked for the last time I hope!!!

rr1024

Hope you don't mind if I pop off one here but I am so freaking sick and tired of these FU*&#$^&# Hackers uploading their shell.php file....I think the jerk who created that files needs to be hunted down, wild, wild west style!:mad: :mad: :mad: I think they should make it a federal offence with lifetime jail and NO CHANCE of getting out ever!

Any way I've created a perminate safety net cure I think if anyone is interested, it's a single page script that runs on Cron

You add the directories you want protected from hostile file uploads and the type of files allowed in that directory and script scans the directory every XXX of the cron if it finds a file type it renames the file with a txt extention or you and modify it to automatically delete the file and then it emails you the directory and file etc...

Anyway sorry for the vent 🙂

etully

I don't understand... you permit file uploads and you don't check them during the upload? You permit file uploads and you let people access the files they upload via a web browser? Why aren't you uploading the files to a directory outside the web tree? Or at the very very least prohibiting files with a PHP extension?

Cron is not the right solution because it can take up to sixty seconds before the file gets cleaned up. A hacker only needs about 10 seconds to do their damage.

Until you clean that up, you're just going to get hacked again.

Piranha

I think that you need to take a step back to see what the actual problem is. It could be one or more of the following, but it could of course be something else.

The file shell.php (and other files) exists.
Someone want to upload the file shell.php (or other files) to your server
Someone want to runs the file shell.php (or other files) on your server
Some people think it is fun to crack sites
You allow people to upload the file shell.php (or other files) to your server
You allow people to run the file shell.php (or other files) to your server

I would say that all of the above is a problem. Next step is to decide what you can't control and what you can do something about. The 4 first things above is not possible to do something about, but you can do something about the 2 last things.

Now the next thing is how you can solve the problem. The current "solution" is not a good one since it gives a cracker plenty of time to do what they want. When it comes to computers a second is an eternity, so is 1/100 of a second. Sure, some of the less advanced people will not be able to hack your site if you run the CRON once a second. But then it is not those people that you have to worry about, they are not advanced enough to have time to make much damage.

Instead you should try and stop the people that can do anything in a millisecond or less, and the only way is to stop them from either upload the file to your site or stop execution of the script.

rr1024 wrote:
Hope you don't mind if I pop off one here but I am so freaking sick and tired of these FU*&#$^&# Hackers uploading their shell.php file....I think the jerk who created that files needs to be hunted down, wild, wild west style!:mad: :mad: :mad: I think they should make it a federal offence with lifetime jail and NO CHANCE of getting out ever!

And I think it should be an offence to make code that is so sloppy that it allow these simple ways of hacking. No jail, but a ban from setting up scripts until the offender have learned to program with security first. Don't get me wrong, the problem is crackers. But it is people that don't defend against them that give programmers and PHP bad reputation.

MarkR

It is naive to assume that the creator of shell.php is responsible or to blame for this intrusion.

There are two people who you should blame:

The script kiddies who installed shell.php
Your web site developers for creating an application sufficiently insecure that it allowed it to be installed.

Of course following every proven intrusion you should take the following steps:

Power off the affected system(s) to prevent them being used to attack others
Review your backups, to ensure that they have not been affected by unauthorised modifications.
Validate all your data for unauthorised modifications (from your backups)
Identify the security hole, if possible, which was used to make the intrusion.

Then you can

Restore the web site on a secure, non-public area with fresh source code taken from your source code control system which could not have been affected - include the fix(es) for the security holes.
Restore your cleaned, validated data to this system
Check that everything works
Change all passwords on this system
Make this site live again
Notify the users as appropriate (of their new passwords or the new password mechanism)

Doing less than this is naive in the extreme.

If you remove shell.php without fixing the problem which allowed it to be created, you are still vulnerable.

If you fix the vulnerability without validating all other software on the machine and resetting all passwords, you are potentially allowing the attackers back in through other back doors they have created or passwords they obtained.

In the case of a shared host, they should be notified immediately and all other sites which share the host should take similar steps.

Mark

dalecosp

bradgrafelman wrote:
Just to point out a misuse of terms... in my opinion, using this cron job method of search-and-destroy isn't a solution in any way. A solution would be finding where your site is vulnerable and patch up that poor bit of coding.

This cron business seems more like a workaround, i.e. you avoid the actual problem and just hope to clean up the mess after the vulnerability is used.

You should send this to Microsoft, Norton, McAfee, etc.

Replace "cron" and "cron job" with the appropriate terms.

:evilgrin:

LordShryku

Thank you for contacting Micronorfee. Rest assured, we value your opinion and will investigate this issue. Thank you for your continued support of Micronorfee products. Have a wonderful day!

:evilgrin:

Weedpacket

Who was that masked man?
The paradox of asking a man in a mask who he is...

dalecosp

Hmm, dunno .... Johnny Depp in drag?

piersk

Hugo Weaving?

Roger_Ramjet

Well, shell.php was a new one to me so I googled it and page 1 led me to w4ck1ng.com where they are discussing how to upload it as a *.jpg file on php gallery hosts then editing their home page to rename and include it. :eek:

Now, the guys who wrote shell.php had a very worthwhile objective when they did so, grant yourself shell access when your hosts does not, but in doing so they unleashed a demon. :evilgrin:

How you beat this one is another question 😕 and one that needs to be answered asap.

piersk

I also did a search for shell.php and came one of the results was this: http://www.webhostingtalk.com/showthread.php?p=4495867

haven't really looked into it, but it seems to be making good logic...