Results 1 to 9 of 9

Thread: How to lock down c99 and massmailer scripts?

  1. #1
    Coastercraze's Avatar
    Coastercraze is offline Net Builder Legend
    Join Date
    Jan 2009
    Location
    Under powerlines
    Posts
    499
    Blog Entries
    3
    Thanks
    94
    Thanked 59 Times in 48 Posts

    How to lock down c99 and massmailer scripts?

    I've had a recent problem at which I got some random c99.php and a massmailer.php script sending spam like crazy.

    What are some things you would do to at least block the c99.php scripts? Also what would secure an images folder from being the target of one of these horrible attacks?
    Webmaster Forums
    Host Mist | Shared | Reseller | VPS | Dedicated
    Arcade Master - Rule the arcade!

  2. #2
    Will.Spencer's Avatar
    Will.Spencer is offline Retired
    Join Date
    Dec 2008
    Posts
    5,033
    Blog Entries
    1
    Thanks
    1,010
    Thanked 2,329 Times in 1,259 Posts
    Oh man... c99.php is bad stuff. It's most likely the result of a remote file inclusion vulnerability.

    The best ways to prevent RFI's are to secure weaknesses in the PHP interpreter:

    • Turn off register_globals
    • Turn off allow_url_fopen

    Of course, this may break some of your production scripts!

    Anyone who can plant c99.php on your server can delete all your data.

    Run a full backup immediately, then delete c99.php and find out how it was planted on your server.

    What script does that "images folder" belong to?
    Submit Your Webmaster Related Sites to the NB Directory
    I swear, by my life and my love of it, that I will never live for the sake of another man, nor ask another man to live for mine.

  3. #3
    weirdnessme is offline Newbie Net Builder
    Join Date
    Mar 2009
    Posts
    286
    Blog Entries
    1
    Thanks
    19
    Thanked 31 Times in 30 Posts
    c99 only works on safemode off i think ?

  4. #4
    Coastercraze's Avatar
    Coastercraze is offline Net Builder Legend
    Join Date
    Jan 2009
    Location
    Under powerlines
    Posts
    499
    Blog Entries
    3
    Thanks
    94
    Thanked 59 Times in 48 Posts
    Quote Originally Posted by Will.Spencer View Post
    Oh man... c99.php is bad stuff. It's most likely the result of a remote file inclusion vulnerability.

    The best ways to prevent RFI's are to secure weaknesses in the PHP interpreter:

    • Turn off register_globals
    • Turn off allow_url_fopen

    Of course, this may break some of your production scripts!

    Anyone who can plant c99.php on your server can delete all your data.

    Run a full backup immediately, then delete c99.php and find out how it was planted on your server.

    What script does that "images folder" belong to?
    PHPBB which is not really a big surprise to me since PHPBB always seemed to have issues in the past. Maybe that's why I use vBulletin on my most important sites...

    I had open_basedir restrictions on at the time of the hack so that probably stopped any damage that I can see. I went through and checked each person's account and found nobody else had any c99 or NNN.php or c57.php or massmailer.php just the one site.

    Here's what I've got in my disabled functions:
    symlink,proc_close,proc_open,popen,system,passthru ,escapesshellarg,escapeshellcmd

    I was thinking of adding shell_exec to the mix anything else I should add to it?
    Webmaster Forums
    Host Mist | Shared | Reseller | VPS | Dedicated
    Arcade Master - Rule the arcade!

  5. #5
    Will.Spencer's Avatar
    Will.Spencer is offline Retired
    Join Date
    Dec 2008
    Posts
    5,033
    Blog Entries
    1
    Thanks
    1,010
    Thanked 2,329 Times in 1,259 Posts
    Are you up to date (3.0.4) on phpBB?

    Are you up to date on any plugins that you're using with phpBB?
    Submit Your Webmaster Related Sites to the NB Directory
    I swear, by my life and my love of it, that I will never live for the sake of another man, nor ask another man to live for mine.

  6. #6
    Coastercraze's Avatar
    Coastercraze is offline Net Builder Legend
    Join Date
    Jan 2009
    Location
    Under powerlines
    Posts
    499
    Blog Entries
    3
    Thanks
    94
    Thanked 59 Times in 48 Posts
    Quote Originally Posted by Will.Spencer View Post
    Are you up to date (3.0.4) on phpBB?

    Are you up to date on any plugins that you're using with phpBB?
    Yes PHPBB is all up to date along with some plugins, so nothing in that area that I can tell of.
    Webmaster Forums
    Host Mist | Shared | Reseller | VPS | Dedicated
    Arcade Master - Rule the arcade!

  7. #7
    Will.Spencer's Avatar
    Will.Spencer is offline Retired
    Join Date
    Dec 2008
    Posts
    5,033
    Blog Entries
    1
    Thanks
    1,010
    Thanked 2,329 Times in 1,259 Posts
    Why do you suspect phpBB is the source of the vulnerability?
    Submit Your Webmaster Related Sites to the NB Directory
    I swear, by my life and my love of it, that I will never live for the sake of another man, nor ask another man to live for mine.

  8. #8
    Coastercraze's Avatar
    Coastercraze is offline Net Builder Legend
    Join Date
    Jan 2009
    Location
    Under powerlines
    Posts
    499
    Blog Entries
    3
    Thanks
    94
    Thanked 59 Times in 48 Posts
    Quote Originally Posted by Will.Spencer View Post
    Why do you suspect phpBB is the source of the vulnerability?
    Because the folder belonged to PHPBB not to mention PHPBB has a tendency to stand out as a target for hackers.
    Webmaster Forums
    Host Mist | Shared | Reseller | VPS | Dedicated
    Arcade Master - Rule the arcade!

  9. #9
    SippieCup is offline Unknown Net Builder
    Join Date
    Mar 2009
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i dont know much about phpBB besides the fact it seems very vulnerable.

    anyway, is the upload folder for when people upload images as attachments to posts?

    if so, just modify script which uploads the file to verify it is a .jpg/.png/.bmp/.gif and etc before continuing to upload

Similar Threads

  1. hi for all , how i can use this scripts
    By loothmane in forum Translation Script Support
    Replies: 1
    Last Post: 8 September, 2010, 20:40 PM
  2. Auction scripts
    By tmongy in forum Building
    Replies: 2
    Last Post: 1 February, 2010, 12:02 PM
  3. [Free] Package of Over 400 PHP Scripts + More
    By Kovich in forum Marketplace
    Replies: 0
    Last Post: 27 August, 2009, 21:12 PM
  4. phpBB Script: Auto Lock topics
    By mega in forum Programming
    Replies: 0
    Last Post: 11 May, 2009, 21:55 PM
  5. How to lock a directory?
    By DomainMagnate in forum Programming
    Replies: 7
    Last Post: 20 February, 2009, 12:58 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •