Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Using C99Shell to test server for vulnerabilities

Posted on 2013-01-17
3
Medium Priority
?
1,853 Views
Last Modified: 2013-01-20
I'm setting up a new webserver for a client of mine.

In the past, we have had a production server be compromised using a tool called "c99shell". It was a PHP file which provided a number of useful features to an attacker like the ability to browse the local filesystem, download arbitrary files, and attempt to execute code or run arbitrary commands on the server by taking advantage of various vulnerabilities in PHP and Apache.

They used the tool to upload phishing websites to the various customers who had chmod 777'd on directories in their webspace. Effectively, this let them "infect" those customer's domains.

TBH, thoguh, it was a pretty useful looking tool... something I wouldn't have minded having on my own webserver (locked down of course so only I could access it). In the hands of a sysadmin it could be a very helpful utility to have around.

I'd like to test that our new webserver is safe from these kinds of attacks, and I'm tempted to just upload c99shell to the server and play with it - pretend like I'm the attacker. I don't really want to re-invent the wheel and try to do penetration tests by manually writing out PHP code.

So my question is - is anybody familiar with c99shell? Is it safe to use for this purpose or does it have any other malware or malicious payloads inside that maybe I should just stay away from? Like, for example, reporting the "compromised" server to a third party hacking group and drawing bad attention to my server unnecessarily.

Alternatively, are there any other "webserver security" tools I can use to do some security tests against my server with?
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 38792500
c99shell is a hacking/cracking tool, not a vulnerability scanner
said this, I don't see how it could help identifying vulnerabilities in web apps or the server

you better go with a real scanning tool, see https://www.owasp.org/index.php/Phoenix/Tools
to get an idea what we're talking about

if you want a free scanning tool, I'd start with w3af, skipfish, but keep in mind that these are tools for experts and *not* click&go&be&secure, you need to know what to do
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38792904
I will go with what ahoffmann advices. c99shell is just another web shell which typically is uploaded or redirect to another attacker website hosting that tool. these are possible due primarily to holes in web server which likely is die to LFI or RFI flaws. [1]

[1] http://www.aldeid.com/wiki/C99Shell

Worst is that c99shell is actually malware in AV signature [2] (as trojan/backdoor), you wouldnt want to invite unnecessary alerts. But I believe if host scanning by AV is done, it should be picked up.

[2] http://www.securelist.com/en/descriptions/old188613

Of course, we are wanting to close the web app holes and using other tools can be of greater coverage and minimally OWASP top 10 is a must to close as they are low hanging fruits.

Interesting how other [3] dissect and discover it and the greater interest this is going to be in exploit kits. I wouldnt want to mess around with it unnecessary since crawler are out there detecting such tools and if website is blacklisted, I see there are greater image to your public site (assuming you going to have it there or even as honeypot type :p)

[3] http://malwaremustdie.blogspot.sg/2012/10/how-far-phpc99shell-malware-can-go-from.html
0
 
LVL 31

Author Comment

by:Frosty555
ID: 38799323
Never seen OWASP before, but it looks pretty interesting. I guess I have some reading to do.

My intention with using C99Shell was to basically attempt to attack my own server using the same tools that I had seen work on it before.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question