How to lock down c99 and massmailer scripts?

**Coastercraze** · 17 March, 2009, 05:07 AM

I've had a recent problem at which I got some random c99.php and a massmailer.php script sending spam like crazy.

What are some things you would do to at least block the c99.php scripts? Also what would secure an images folder from being the target of one of these horrible attacks?

**Will.Spencer** · 17 March, 2009, 05:21 AM

Oh man... c99.php is bad stuff. It's most likely the result of a remote file inclusion vulnerability.

The best ways to prevent RFI's are to secure weaknesses in the PHP interpreter:

Turn off register_globals
Turn off allow_url_fopen

Of course, this may break some of your production scripts!

Anyone who can plant c99.php on your server can delete all your data.

Run a full backup immediately, then delete c99.php and find out how it was planted on your server.

What script does that "images folder" belong to?

**weirdnessme** · 17 March, 2009, 05:53 AM

c99 only works on safemode off i think ?

**Coastercraze** · 18 March, 2009, 03:21 AM

Originally Posted by Will.Spencer

Oh man... c99.php is bad stuff. It's most likely the result of a remote file inclusion vulnerability.

The best ways to prevent RFI's are to secure weaknesses in the PHP interpreter:

Turn off register_globals
Turn off allow_url_fopen

Of course, this may break some of your production scripts!

Anyone who can plant c99.php on your server can delete all your data.

Run a full backup immediately, then delete c99.php and find out how it was planted on your server.

What script does that "images folder" belong to?

PHPBB which is not really a big surprise to me since PHPBB always seemed to have issues in the past. Maybe that's why I use vBulletin on my most important sites...

I had open_basedir restrictions on at the time of the hack so that probably stopped any damage that I can see. I went through and checked each person's account and found nobody else had any c99 or NNN.php or c57.php or massmailer.php just the one site.

Here's what I've got in my disabled functions:
symlink,proc_close,proc_open,popen,system,passthru ,escapesshellarg,escapeshellcmd

I was thinking of adding shell_exec to the mix anything else I should add to it?

**Will.Spencer** · 18 March, 2009, 13:05 PM

Are you up to date (3.0.4) on phpBB?

Are you up to date on any plugins that you're using with phpBB?

**Coastercraze** · 20 March, 2009, 01:40 AM

Originally Posted by Will.Spencer

Are you up to date (3.0.4) on phpBB?

Are you up to date on any plugins that you're using with phpBB?

Yes PHPBB is all up to date along with some plugins, so nothing in that area that I can tell of.

**Will.Spencer** · 20 March, 2009, 01:54 AM

Why do you suspect phpBB is the source of the vulnerability?

**Coastercraze** · 23 March, 2009, 05:08 AM

Originally Posted by Will.Spencer

Why do you suspect phpBB is the source of the vulnerability?

Because the folder belonged to PHPBB not to mention PHPBB has a tendency to stand out as a target for hackers.

**SippieCup** · 24 March, 2009, 07:17 AM

i dont know much about phpBB besides the fact it seems very vulnerable.

anyway, is the upload folder for when people upload images as attachments to posts?

if so, just modify script which uploads the file to verify it is a .jpg/.png/.bmp/.gif and etc before continuing to upload