Solved

Using C99Shell to test server for vulnerabilities

Posted on 2013-01-17
3
1,802 Views
Last Modified: 2013-01-20
I'm setting up a new webserver for a client of mine.

In the past, we have had a production server be compromised using a tool called "c99shell". It was a PHP file which provided a number of useful features to an attacker like the ability to browse the local filesystem, download arbitrary files, and attempt to execute code or run arbitrary commands on the server by taking advantage of various vulnerabilities in PHP and Apache.

They used the tool to upload phishing websites to the various customers who had chmod 777'd on directories in their webspace. Effectively, this let them "infect" those customer's domains.

TBH, thoguh, it was a pretty useful looking tool... something I wouldn't have minded having on my own webserver (locked down of course so only I could access it). In the hands of a sysadmin it could be a very helpful utility to have around.

I'd like to test that our new webserver is safe from these kinds of attacks, and I'm tempted to just upload c99shell to the server and play with it - pretend like I'm the attacker. I don't really want to re-invent the wheel and try to do penetration tests by manually writing out PHP code.

So my question is - is anybody familiar with c99shell? Is it safe to use for this purpose or does it have any other malware or malicious payloads inside that maybe I should just stay away from? Like, for example, reporting the "compromised" server to a third party hacking group and drawing bad attention to my server unnecessarily.

Alternatively, are there any other "webserver security" tools I can use to do some security tests against my server with?
0
Comment
Question by:Frosty555
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 38792500
c99shell is a hacking/cracking tool, not a vulnerability scanner
said this, I don't see how it could help identifying vulnerabilities in web apps or the server

you better go with a real scanning tool, see https://www.owasp.org/index.php/Phoenix/Tools
to get an idea what we're talking about

if you want a free scanning tool, I'd start with w3af, skipfish, but keep in mind that these are tools for experts and *not* click&go&be&secure, you need to know what to do
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 38792904
I will go with what ahoffmann advices. c99shell is just another web shell which typically is uploaded or redirect to another attacker website hosting that tool. these are possible due primarily to holes in web server which likely is die to LFI or RFI flaws. [1]

[1] http://www.aldeid.com/wiki/C99Shell

Worst is that c99shell is actually malware in AV signature [2] (as trojan/backdoor), you wouldnt want to invite unnecessary alerts. But I believe if host scanning by AV is done, it should be picked up.

[2] http://www.securelist.com/en/descriptions/old188613

Of course, we are wanting to close the web app holes and using other tools can be of greater coverage and minimally OWASP top 10 is a must to close as they are low hanging fruits.

Interesting how other [3] dissect and discover it and the greater interest this is going to be in exploit kits. I wouldnt want to mess around with it unnecessary since crawler are out there detecting such tools and if website is blacklisted, I see there are greater image to your public site (assuming you going to have it there or even as honeypot type :p)

[3] http://malwaremustdie.blogspot.sg/2012/10/how-far-phpc99shell-malware-can-go-from.html
0
 
LVL 31

Author Comment

by:Frosty555
ID: 38799323
Never seen OWASP before, but it looks pretty interesting. I guess I have some reading to do.

My intention with using C99Shell was to basically attempt to attack my own server using the same tools that I had seen work on it before.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question