Sy_Conf

Corey

Look out for this file on your filesystem if you are running cpanel servers.... it's pretty nasty

Patrick

Is it perl script? What does it do?

jar

This? http://www.mediafire.com/?r4kkj92ij77r1sf

Corey

@jarland said: This? http://www.mediafire.com/?r4kkj92ij77r1sf

Yes.

jar

Darn script kiddies. Thanks for the warning.

bamn

@Corey said: Look out for this file on your filesystem if you are running cpanel servers

How does it get in?
Normal, lazy didn't click "UPDATE NOW" on their web app?

jar

Looking at some of this stuff, I need to spend some time on HF apparently. Some great tools I wouldn't mind running against my own stuff to catch any weak spots I may have overlooked. Always best to stay one step ahead of these people, and they make it so easy most of the time.

Corey

@bamn said: How does it get in?

Normal, lazy didn't click "UPDATE NOW" on their web app?

Any insecure places that they can upload this.....usually a script on a website on the server with a vulnerability.....

24khost

Is this a sym link hack? So if you disabled sym links on apache that should make the script in effective correct.

Kris

@jarland said: Looking at some of this stuff, I need to spend some time on HF apparently. Some great tools I wouldn't mind running against my own stuff to catch any weak spots I may have overlooked. Always best to stay one step ahead of these people, and they make it so easy most of the time.

Good call.

Here, many PHP disabled functions, fopen URL off, allow_url_include off, and a whole load of GotRoot & custom mod_security on this end.

I try to keep up / download shells from recent failed XSS attempts in my Mod_Security audit log, then run them on a sandbox VPS against my own mod_sec rules to see what would have happened would it have been launched locally. Then I add more rules

joepie91

@24khost said: Is this a sym link hack? So if you disabled sym links on apache that should make the script in effective correct

No.

As far as I can understand, the script will run through the userlist, and symlink all the known config files for each of those users. It then tars up the whole set of config files and presents this archive as a file.

Disabling symlinks on Apache won't do a thing because:

1. The script runs independently from Apache, so the archiving of the symlinked files is not hindered by the Apache config.
2. The archive itself is an actual file and not a symlink, so it isn't blocked by Apache.

24khost

so this has to be uploaded and run as a shell script correct?

joepie91

@24khost said: so this has to be uploaded and run as a shell script correct?

Not as a 'shell script' per se - it's Perl after all. An exec() call in PHP, or basically any other way to get a Perl script to run, will do.

24khost

ahhh okay. So besides scanning the script and turning everything off is there anyway to block this script, other than mod_security.

Patrick

Hello,

Thank you for contacting MediaFire.
 
We appreciate you reporting this file. After carefully review the content, the file is in > violation of our Terms of Service and was removed.
 
We appreciate you bringing this to our attention.
 
Sincerely,
Charlie

Regarding: http://www.mediafire.com/?r4kkj92ij77r1sf

jar

Meh, I'll upload it if anyone wants it. If "they" have it, we might as well too.

Corey

@stormvz
The script is still out there... you can't erase it from the internet.

bamn

Sign up on HF or even PacketStorm has some kiddie tools that show up on there.

ErawanArifNugroho

I will upload id if anyone still want it