Protect Against Shell Script Hacks
While browsing through Technorati, I just stumbled on a post about a shell script attack. It seems the poor chap got a shell script uploaded to his server, and the attacker used it to create a bunch of bogus files full of hyperlinks.
The original post has some header information about this particular hack (a modified c100 shell), as well as a link to some search results about the file. I looked through the source code for the shell script and tested it out on my local server - getting some link-filled files is the least that this script could do.
Once the script is loaded on your server, anyone can access it remotely and have full access to your system.
The script allows you to navigate through the server’s directories like any remote file-manager. I noticed that it could even go up out of the web server root and into my local folders as well.
The script gathers up all the details on your computer - like operating system build, running processes, ip address, etc. The user can run shell commands, create files, upload files, and do other kinds of nasty things.
It would be pretty easy for someone to use this to find the mysql username/password, hack your database, do whatever they want, and pretty wreck your entire site. Or worse, they could use this to do some nasty things to the server itself - potentially wrecking other peoples’ sites.
So how do you protect against this? Well, I’m not sure what you would do to protect against the shell script once it’s loaded up. It looks like it’s built to bypass most security precautions and give the hacker access to whatever he or she wants.
Your best bet is to be vigilant in restricting front-end uploads to your site. If you’ve got an upload script, be sure you restrict what file extensions can be uploaded.
This script needs to be named with a file extension that is read as php - so you should never allow users to upload php files (or html if you set up your server to execute those as php).
Being more restrictive is better than less restrictive - so ban all file extensions except the ones you know are safe. So, for example, you might allow “.jpg, .gif, .png” for pictures, and “.doc, .odt, .pdf, .txt, .rtf” for documents.
If you’ve got any other suggestions for security against this sort of thing, please comment away. Otherwise, take a look at the script so that you are aware of what it can do.
cocaman said this on January 12th, 2008 at 1:39 pm
yep, you are right. the tool/script is very powerful and worked on many servers.
i thought about the disallowing of uploading php-files, but i have decided to just not allow to php files to be executed in the upload directory and any other directories php files should not run. hope this helps