Solved

Using C99Shell to test server for vulnerabilities

Posted on 2013-01-17
3
1,823 Views
Last Modified: 2013-01-20
I'm setting up a new webserver for a client of mine.

In the past, we have had a production server be compromised using a tool called "c99shell". It was a PHP file which provided a number of useful features to an attacker like the ability to browse the local filesystem, download arbitrary files, and attempt to execute code or run arbitrary commands on the server by taking advantage of various vulnerabilities in PHP and Apache.

They used the tool to upload phishing websites to the various customers who had chmod 777'd on directories in their webspace. Effectively, this let them "infect" those customer's domains.

TBH, thoguh, it was a pretty useful looking tool... something I wouldn't have minded having on my own webserver (locked down of course so only I could access it). In the hands of a sysadmin it could be a very helpful utility to have around.

I'd like to test that our new webserver is safe from these kinds of attacks, and I'm tempted to just upload c99shell to the server and play with it - pretend like I'm the attacker. I don't really want to re-invent the wheel and try to do penetration tests by manually writing out PHP code.

So my question is - is anybody familiar with c99shell? Is it safe to use for this purpose or does it have any other malware or malicious payloads inside that maybe I should just stay away from? Like, for example, reporting the "compromised" server to a third party hacking group and drawing bad attention to my server unnecessarily.

Alternatively, are there any other "webserver security" tools I can use to do some security tests against my server with?
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 38792500
c99shell is a hacking/cracking tool, not a vulnerability scanner
said this, I don't see how it could help identifying vulnerabilities in web apps or the server

you better go with a real scanning tool, see https://www.owasp.org/index.php/Phoenix/Tools
to get an idea what we're talking about

if you want a free scanning tool, I'd start with w3af, skipfish, but keep in mind that these are tools for experts and *not* click&go&be&secure, you need to know what to do
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 38792904
I will go with what ahoffmann advices. c99shell is just another web shell which typically is uploaded or redirect to another attacker website hosting that tool. these are possible due primarily to holes in web server which likely is die to LFI or RFI flaws. [1]

[1] http://www.aldeid.com/wiki/C99Shell

Worst is that c99shell is actually malware in AV signature [2] (as trojan/backdoor), you wouldnt want to invite unnecessary alerts. But I believe if host scanning by AV is done, it should be picked up.

[2] http://www.securelist.com/en/descriptions/old188613

Of course, we are wanting to close the web app holes and using other tools can be of greater coverage and minimally OWASP top 10 is a must to close as they are low hanging fruits.

Interesting how other [3] dissect and discover it and the greater interest this is going to be in exploit kits. I wouldnt want to mess around with it unnecessary since crawler are out there detecting such tools and if website is blacklisted, I see there are greater image to your public site (assuming you going to have it there or even as honeypot type :p)

[3] http://malwaremustdie.blogspot.sg/2012/10/how-far-phpc99shell-malware-can-go-from.html
0
 
LVL 31

Author Comment

by:Frosty555
ID: 38799323
Never seen OWASP before, but it looks pretty interesting. I guess I have some reading to do.

My intention with using C99Shell was to basically attempt to attack my own server using the same tools that I had seen work on it before.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question