NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] XSS, Joomla & Remote Shells

Ben Sgro (ProjectSkyline) ben at projectskyline.com
Thu Jun 28 20:44:13 EDT 2007


Hello Jon, 

Great points.

I think an even worse attack would be what happened to WordPress not too long ago, the code itself on the distribution servers was tinkered with.  

Wow, that's really awful. Didn't know about that.


It's a little unfair to point out XSS as being only a Joomla issue.

I didn't mean to say Joomla only has XSS problems...in fact, I don't think I did.

I've used snort in the past, and tripwire. I find snort tough, because you have to keep
up w/the signatures, and thus requires time and attention. In a small company such
as mine, I'd love to set it up, but I don't have the time to monitor and adjust it.

Plus, snort is not the end all be all. Its signature based detection, and as far as I know
doesn't address polymorphic code. But snort is a key part to an overall strong detection
system.

Great link BTW, I haven't messed w/snort in years.

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

  ----- Original Message ----- 
  From: Jon Baer 
  To: NYPHP Talk 
  Sent: Thursday, June 28, 2007 8:18 PM
  Subject: Re: [nycphp-talk] [OT] XSS, Joomla & Remote Shells


  I think an even worse attack would be what happened to WordPress not too long ago, the code itself on the distribution servers was tinkered with.  It's a little unfair to point out XSS as being only a Joomla issue.  It happens to any software that lingers past even a single minor 0.1 upgrade, including C libraries and such.


  The bottom line is if you are shared hosting you are leaving "security" in the hands of your ISP period.  If you are running your own boxes and don't have things like Tripwire or Snort running you are going to be unaware of such attacks anyway.  


  One of better ways to keep up on it is to monitor files like Bleeding Edge for software you are running ...


  http://www.bleedingsnort.com/bleeding-web.rules


  - Jon 


  On Jun 28, 2007, at 3:21 PM, Ben Sgro ((ProjectSkyline)) wrote:


    Hello again, 


    I've always had an interest in security. Not too long ago a friend was looking 
    into deploying joomla for a client. He's a pentester/researcher for a very well
    educated and influential firm = ] , so he had to make sure it was going to be secure.


    He started researching and found that many joomla installs had/have been comprimised
    via XSS attacks.


    Today, he posted the link of a site that had been owned by XSS and the crackers installed this
    web based backdoor script.


    I grabbed the script and included it here http://www.projectskyline.com/phplist/r57shell.txt  
    to show PHP developers AGAIN how important security is and give us an inside look at
    some of the tools our enemies are armed with.


    For those that deploy joomla, this is especially something to watch for.
    For everyone else, just something to checkout.


    You'll notice this script enables:


    - Mail to be sent out (w/or w/out files attached)
    - Commands to be run.
    - Search for SUID, writable directories, files, tmp files., .(files) ...
    - Outgoing connections to be established
    - Some kind of IRC implementation
    - SQL to be run
    - Files can be downloaded and uploaded
    - and much, much more.




    - Ben


    Ben Sgro, Chief Engineer
    ProjectSkyLine - Defining New Horizons_______________________________________________
    New York PHP Community Talk Mailing List
    http://lists.nyphp.org/mailman/listinfo/talk


    NYPHPCon 2006 Presentations Online
    http://www.nyphpcon.com


    Show Your Participation in New York PHP
    http://www.nyphp.org/show_participation.php




------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Community Talk Mailing List
  http://lists.nyphp.org/mailman/listinfo/talk

  NYPHPCon 2006 Presentations Online
  http://www.nyphpcon.com

  Show Your Participation in New York PHP
  http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070628/732f088a/attachment.html>


More information about the talk mailing list