My Site was hacked by C99 shell

Are you sure your upload script was the way the script got onto your server in the first place?

yes, the server has only one script and its the upload script and found the shell in upload directory

You may want to consider this possibility.

http://en.wikipedia.org/wiki/Remote_File_Inclusion

the uploaded shell was on my server and has changed by all rules in upload script, the name of script was changed like all files uploaded to server, so the shell come from uploading server not remotly

One simple check is checking the extension, the second a grep search in the file for <?php. Not sure what your permission were, but do not set them above 755.

What ever the case maybe, I can guarantee you that your validation has a hole in it somewhere. Obviously it would be impossible for us to tell you where with out seeing it ourselves.

You might also consider doing these in your script in addition to what you are already doing.

• Check the referrer in your upload script to make sure it is my own domain accessing it.
• Change the name of the file after it has been uploaded to your server.

I check the mime type of file , is that not enough ??
then I'll make a second check for extension.
I have change the filename to somthing long and difficult to guess.

then I'll make a second check for extension.

I check the mime type of file , is that not enough ??

Someone was able to put a file up on your server. It is obvious that it was not enough.
When you are dealing with external users that can interact with you scripts, you can never have enough security.

then my first step is to make another check function for extension.
next what should i do to secure my site, is there any security check to do ?

Yeah, if you have any code in your script that looks anything like this, change it.

<?php
   if (isset( $_GET['image'] ) ){
      include( $_GET['image'] . '.php' );
   }
?>

all my included files are not variables.
all my form inputs are protected by special function to add slashed and remove unwanted charachters

Hello,

can you post the codes of your form processor? Is it $_POST, $_GET, or the vulnerable $_REQUEST?, did you add allowed exensions filtering mechanism prior to calling move_uploaded_file function? as in

function get_ext($file){
$ext_allowed = array('jpg', 'jpeg','gif', 'bmp', 'png') ;
$ext = substr($file, strrpos($file, '.') + 1);

/*
* This will return a bolean true or false based on the extension of the uploaded file
*/
return(array_search($ext, $ext_allowed));

}

Don't rely on javascript to check for your allowed extensions. I suspect this hack occured remotely... check your form processor.

If you are in shared hosting, maybe one of your neighbor got hacked also. Not certainly positive on this, until we can view your codes..

If you store images as blob data - this can be problematic as some 'image files' can actually just contain php code. You may be able to detect with exif_imagetype() as extension checking is not reliable.

Also have a look at any ajax or include files that may allow direct access to db writing.

my site dont have any javascript or ajax requests, all validation done in php files.
but my mistake is checking the mime type for files not thier extension, so I think this was my fault.
I'll try to add check extension function additional to mime type, and hope not to be hacked again.

Here is a good reading about this so called phpc99 shell malware.. I guess what I have suggested above is no match with this malware..

I read this article and thats why am worried :(, am doing additional check for uploaded files
and hope this child ( hacker ) won't come to me again.

I hope so too. They hacked your site from a remote location. Actually, he targeted your server and not your site. He was able to extract all of your server credentials, and then work his way around the backdoor. You should contact your host and let them know about the shell attacked that took place in your site. They should have some security measures in dealing with this type of attack.

The younger the person learned how to write programs the better they become. However, just like any teenagers, we can deal with them either positively or negatively. I prefer the positive re-inforcement though, because these kind of kids are super brainy , and have so much potential in contributing to technology in the near future.

I hope he is done and satified on the results of his showing off his ability to code. This is one of those occasion where they want attention and bragging rights. They hate to be referred to as kid, and they want to be threaded as 16 years old inspite of the fact that they are only 15 1/2. Normally, this craving of attention will go away before they hit 16. I'm sure we will not be seeing any version 3.0 of this malware, because by the time he is done with it he has already found something useful and more important to focus his attention , like writing his own CMS applications.. or even bigger.

I know one kid ( and he is just around the corner :) ) who once got in trouble in doing the "for fun only, because I am capable of doing anything." type of hacking ( only in a much bigger proportion), but was not punished, instead was sent to Ivy league Universities where his brain can find more academic challenges to create something useful for us all. I'm sure this hacker kid will grow up as a responsible and more willing to help in preventing this type of things from happening against another kid hacker who is already born today and just waiting for his turn to prove himself to the world and telling the world that he can also do anything.

This is the fourth time I looked into a source code of a kid hackers, and what really amazes me is that.. all of them have the same logic organization in their codes. Similarly, they are parenthesis obsessed, they would normally cascades their statements as long as they possibly can, they are extremely proficient in file manipulation and array executions, they prepare their arrays in an identical pattern, and are super profecient in using the references function of PHP

&
// they always use $_REQUEST to catch your form processor off=guard..

I hope that one kid from the around the corner (my friend :)) will visit us today and post something about his thoughts about his works when he was 14 paired against c99 shell .. What is wrong with being 14, it seems that these genuises wants to be independent alredy?

In addition to previous suggestions, you can mitigate the problem by adding an .htaccess file to the directory in which are hosted the images and specify to treat them with the default handler for static files:

SetHandler default-handler

If you upload a php file to this directory and try to open it, this will not be executed but downloaded as a simple file. Another measure is to add this line to the .htaccess file:

php_flag engine off

@cereal Thats the problem, I've contact the host for enabling htaccess and he refused, he said its contain security issues, the first thing I did is putting htaccess file in upload folder.
that was my code

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

but it never worked because htaccss files disabled :(

Ok am wondering how did he activate the shell ?? the files when uploaded, first thier names changed to custom name, and files still not active untill admin activate them, how did he can know the path to shell file ? I prevented the folder from being show in browser by putting empty index.html

As suggested by pritaeas:

Are you sure your upload script was the way the script got onto your server in the first place?

For example from ftp? Have you tried to change user and password? Do you know if PUT is enabled? Can you show your code? Also since they don't want to enable .htaccess support I would consider to change the hosting service.

Hello guys sorry for late in response but I was very busy with this hacking thing,. to be in picture I work in ISP company and all servers are in our company so am not a website client , we installed mod_security and disabled many functions as I read in the sites, installed htaccess and wrote the roles for preventing uploading some file or disable php function in specific folder, Now I need somthing to know.

• What else can I do to make the server more secure ?
• and I need a function to get the private IP not real for visitor, because I knew the real IP for hacker.
• and what is the best chmod permission to be given to upload folder ?

Hi,

Two doors where the shell hack can take over the server.

1. First, the ftp credentials of the server users where maliciously stolen from the PC. For example, sitemanager.xml of filezilla is an easy target because it is just a text file that can be grab and send to the trojan executioner.

2. Second, entry by force and slow cooking. This method is used along with the cURL remote form spoofing. What happened here is that they create an alpha numeric array base e.g. A, a, B, b, C, c, 1,2,3,4,and the list goes on., they go to the target site and attempt a fake registration just to find out how many characters, what type of characters are allowed for a password, they look around to the site and look for any valid registered users e.g. admin. Once they find all these info., they feed the cURL with the random alphanumeric combination using your own password control. They continue to do this process in loop for X^n where x is the sum of alpha numeric in the array and n = x/no. of minimum and maximum password characters required.

something like this, but I am not going to make the code even near to a working codes..

$pass_array = array(## all possible allowed alha-numeric ##);
$pass_cCount = 12; ## minimum

$generate_fake_password = randomized_array($pass_array,$pass_cCount);

$gnenrate_md5_pass = md5($generate_fake_password);

The expected output of the above script is feed to the cURL as password e.g.

$y = 0;
while($y<= 10000000000){

    ## do this nasty stuffs until server give-up

    }

You must be aware also that all error response by the target server are recorded as text file, for further analysis. So, a prompt like password must be be 10 characters long and should be a mixture of letters and 2 number and 1 special characters is a bad practice in processing form. You do not announce, but use the javascript hint instead..The same is true when processing the form for the database inclusion, we don't want any error announcement, but just redirect the user as needed to redo the registration process over.

Another ways of uploading php files to a server is a weak form processing technique..

How to prevent it on the server side? As a server administrator, protecting those source codes and programs in your server is your responsibility, you are also responsible for making sure that your server is in Top Shape security wise at all times. You must be aware that php applications are not created equal.Some have a paranoid security filters, and some don't have any. Keeping this scenario in mind, you must device a security design that will prevent any anomaly from crossing over partition or account bounderies.

What security available to you as a server Administrator?
1. There is one open source that has been proven with effeciency. This application is called "Brute Force", you can install this to your server and the brute method using cURL above can be minimized tremendously. What this application will do is to kick-out any multiple login attempts (failed).. this apps will also serve as a watch dog for both the ftp, mysql, and cpanel connection. So, if someone attempt to login to any cpanel account, but failed a few times, that IP or account is forced out.. including the ftp connection attempt from the very same IP where the failed cpanel occured or coming from. The IP will be temporarily banned for making any page request from server, until this IP is cleared.

1. Advice your user to regularly scan their computer for trojans and malware..

Script Security?
This is pretty much the responsibility of the coders, programmers, and developers or whatever they call themselves. PHP practitioners comes in many different levels, so as the security concerns and practices significantly varies among this group. It is their job to make their application secure, while your job is to make your server secure and NOT allowing any compromised partition to spread beyond its bounderies..

Htaccess approach?
In most cases this will work in an isolated area, but blocking an IP range is a generalization of all IPs coming from that network.. e.g. 192.25.3.0 to .88 is a pretty huge area to disallow.

I strongly recommend Brute Force, 3 fails and you are out is pretty good policy... I think :)

Thanks for these informations, Appreciate your help guys.

I had an experienec some time ago exactly like this but my issue was the low password, that teached me a lesson :)

I have Brute Force installed on server but really I don't know what is the best configuration for it
every thime I activate it I see 403 error page
here is my configration

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

What is wrong with being 14, it seems that these genuises wants to be independent alredy?

That is to say it isn't China! China is all up in our grill these days!

The problem could be also MySQL, if the bind-address is not on 127.0.0.1 or the firewall is not setted properly, then an attacker can perform a bruteforce, gain access and use mysql shell to read and write files to the system, something like for example:

select "<?php echo 'hello'; ?>" INTO OUTFILE "/var/www/test/hack.php"

This works even as SQL Injection, this is why I asked you to post your code..