?
Solved

Using C99Shell to test server for vulnerabilities

Posted on 2013-01-17
3
Medium Priority
?
1,840 Views
Last Modified: 2013-01-20
I'm setting up a new webserver for a client of mine.

In the past, we have had a production server be compromised using a tool called "c99shell". It was a PHP file which provided a number of useful features to an attacker like the ability to browse the local filesystem, download arbitrary files, and attempt to execute code or run arbitrary commands on the server by taking advantage of various vulnerabilities in PHP and Apache.

They used the tool to upload phishing websites to the various customers who had chmod 777'd on directories in their webspace. Effectively, this let them "infect" those customer's domains.

TBH, thoguh, it was a pretty useful looking tool... something I wouldn't have minded having on my own webserver (locked down of course so only I could access it). In the hands of a sysadmin it could be a very helpful utility to have around.

I'd like to test that our new webserver is safe from these kinds of attacks, and I'm tempted to just upload c99shell to the server and play with it - pretend like I'm the attacker. I don't really want to re-invent the wheel and try to do penetration tests by manually writing out PHP code.

So my question is - is anybody familiar with c99shell? Is it safe to use for this purpose or does it have any other malware or malicious payloads inside that maybe I should just stay away from? Like, for example, reporting the "compromised" server to a third party hacking group and drawing bad attention to my server unnecessarily.

Alternatively, are there any other "webserver security" tools I can use to do some security tests against my server with?
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 38792500
c99shell is a hacking/cracking tool, not a vulnerability scanner
said this, I don't see how it could help identifying vulnerabilities in web apps or the server

you better go with a real scanning tool, see https://www.owasp.org/index.php/Phoenix/Tools
to get an idea what we're talking about

if you want a free scanning tool, I'd start with w3af, skipfish, but keep in mind that these are tools for experts and *not* click&go&be&secure, you need to know what to do
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38792904
I will go with what ahoffmann advices. c99shell is just another web shell which typically is uploaded or redirect to another attacker website hosting that tool. these are possible due primarily to holes in web server which likely is die to LFI or RFI flaws. [1]

[1] http://www.aldeid.com/wiki/C99Shell

Worst is that c99shell is actually malware in AV signature [2] (as trojan/backdoor), you wouldnt want to invite unnecessary alerts. But I believe if host scanning by AV is done, it should be picked up.

[2] http://www.securelist.com/en/descriptions/old188613

Of course, we are wanting to close the web app holes and using other tools can be of greater coverage and minimally OWASP top 10 is a must to close as they are low hanging fruits.

Interesting how other [3] dissect and discover it and the greater interest this is going to be in exploit kits. I wouldnt want to mess around with it unnecessary since crawler are out there detecting such tools and if website is blacklisted, I see there are greater image to your public site (assuming you going to have it there or even as honeypot type :p)

[3] http://malwaremustdie.blogspot.sg/2012/10/how-far-phpc99shell-malware-can-go-from.html
0
 
LVL 31

Author Comment

by:Frosty555
ID: 38799323
Never seen OWASP before, but it looks pretty interesting. I guess I have some reading to do.

My intention with using C99Shell was to basically attempt to attack my own server using the same tools that I had seen work on it before.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question