Hello guys, I ran a free image upload script and today i notice someone upload a file name xxx.php.jpeg and then when i launch the image, i saw this Main page with the title: c99 v0.0.1 SYN-MOD [SYNSTA] following with all kind of command which allow me to change CMOD etc. May i know what is this? How harmful it could be? What can i do to protect my site from attack? (image hosting)
From what it sounds like, you ran a script with a backdoor in it. I did a search on google for 'c99 v0.0.1 SYN-MOD [SYNSTA]' and found quite a few sites with the same file. Which allowed remote command execution, FTP brute forcing, among other things. I would first remove your image hosting script. Be sure to check your other files to make sure that they where not tampered with in anyway. If you do nothing else, remove the script that is displaying the file that is displaying the main page. Also check your database to make sure there is nothing foreign in there. I presume you are hosted on a shared account, or reseller and do not have your hosting running as root or on an administrative account, therefore I wouldn't worry to much about a complete system takeover. For future reference, make sure the software you are installing is reputable. Google it if you have any worries All in all, I would try and fix this as soon as possible.
thanks a lot!!, the sad thing is that it is hosted in my dedicated server. However, immediately i removed the script away but not removing the site yet. what can i do now as to prevent from taking the whole server?
its a php shell.you have to fix your upload code also remove execute permission for your upload directory
You need to validate uploaded files before moving them to the upload directory. Like you can check the image information of the file being uploaded and if it's corrupt you halt processing. If you need help I can do so for a small fee with fixing your code and securing your directories.
thanks codeassist for the tips. What else could i do? currently, i validate it by checking the last extention of the file. I notice that the script used ended with .pjpeg, so i disallowed that. any tips appreciate.
is apache running as user 'nobody' ??? Also what is the permissions of tmp folder?Did yo disallow file execute at tmp folder (you should add noexec to tmp folder via /etc/fstab)
ya, it runs as 'noboddy' what tmp you were saying? the tmp inside the CGI bins? the one before I move the file over to the real location, ya?
Hey Toby... You will definatly get hacked again as removing the shell script wont help you to remove the threat completely. The hacker or intruder could have entered the malicious code into your scripts and can easily regain control or deface your website again.. You might like to take my security audit service.. See more details here. http://forums.digitalpoint.com/showthread.php?t=278457