[nycphp-talk] [OT] XSS, Joomla & Remote Shells
inforequest
1j0lkq002 at sneakemail.com
Fri Jun 29 03:18:29 EDT 2007
Ben Sgro (ProjectSkyline) ben-at-projectskyline.com |nyphp dev/internal
group use| wrote:
> Hello again,
>
> I've always had an interest in security. Not too long ago a friend was
> looking
> into deploying joomla for a client. He's a pentester/researcher for a
> very well
> educated and influential firm = ] , so he had to make sure it was
> going to be secure.
>
> He started researching and found that many joomla installs had/have
> been comprimised
> via XSS attacks.
>
> Today, he posted the link of a site that had been owned by XSS and the
> crackers installed this
> web based backdoor script.
>
> I grabbed the script and included it here
> http://www.projectskyline.com/phplist/r57shell.txt
> to show PHP developers AGAIN how important security is and give us an
> inside look at
> some of the tools our enemies are armed with.
>
> For those that deploy joomla, this is especially something to watch for.
> For everyone else, just something to checkout.
>
> You'll notice this script enables:
>
> - Mail to be sent out (w/or w/out files attached)
> - Commands to be run.
> - Search for SUID, writable directories, files, tmp files., .(files) ...
> - Outgoing connections to be established
> - Some kind of IRC implementation
> - SQL to be run
> - Files can be downloaded and uploaded
> - and much, much more.
>
>
> - Ben
>
Perhaps most interesting about that r57shell is that it quietly
remotely logs its own use. So in addition to the use as a backdoor shell
script, it becomes a beacon for compromised systems - the tool maker
gets a notice of every IP compromised by the tool when used by others.
To quote full disclosure, "they [the script authors] can 0wn everything
you 0wned...Trust no one... write your own tools."
http://seclists.org/fulldisclosure/2006/Sep/0083.html
--
-------------------------------------------------------------
Your web server traffic log file is the most important source of web business information available. Do you know where your logs are right now? Do you know who else has access to your log files? When they were last archived? Where those archives are? --John Andrews Competitive Webmaster and SEO Blogging at http://www.johnon.com
More information about the talk
mailing list