Solved

Using C99Shell to test server for vulnerabilities

Posted on 2013-01-17
3
1,794 Views
Last Modified: 2013-01-20
I'm setting up a new webserver for a client of mine.

In the past, we have had a production server be compromised using a tool called "c99shell". It was a PHP file which provided a number of useful features to an attacker like the ability to browse the local filesystem, download arbitrary files, and attempt to execute code or run arbitrary commands on the server by taking advantage of various vulnerabilities in PHP and Apache.

They used the tool to upload phishing websites to the various customers who had chmod 777'd on directories in their webspace. Effectively, this let them "infect" those customer's domains.

TBH, thoguh, it was a pretty useful looking tool... something I wouldn't have minded having on my own webserver (locked down of course so only I could access it). In the hands of a sysadmin it could be a very helpful utility to have around.

I'd like to test that our new webserver is safe from these kinds of attacks, and I'm tempted to just upload c99shell to the server and play with it - pretend like I'm the attacker. I don't really want to re-invent the wheel and try to do penetration tests by manually writing out PHP code.

So my question is - is anybody familiar with c99shell? Is it safe to use for this purpose or does it have any other malware or malicious payloads inside that maybe I should just stay away from? Like, for example, reporting the "compromised" server to a third party hacking group and drawing bad attention to my server unnecessarily.

Alternatively, are there any other "webserver security" tools I can use to do some security tests against my server with?
0
Comment
Question by:Frosty555
3 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 38792500
c99shell is a hacking/cracking tool, not a vulnerability scanner
said this, I don't see how it could help identifying vulnerabilities in web apps or the server

you better go with a real scanning tool, see https://www.owasp.org/index.php/Phoenix/Tools
to get an idea what we're talking about

if you want a free scanning tool, I'd start with w3af, skipfish, but keep in mind that these are tools for experts and *not* click&go&be&secure, you need to know what to do
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 38792904
I will go with what ahoffmann advices. c99shell is just another web shell which typically is uploaded or redirect to another attacker website hosting that tool. these are possible due primarily to holes in web server which likely is die to LFI or RFI flaws. [1]

[1] http://www.aldeid.com/wiki/C99Shell

Worst is that c99shell is actually malware in AV signature [2] (as trojan/backdoor), you wouldnt want to invite unnecessary alerts. But I believe if host scanning by AV is done, it should be picked up.

[2] http://www.securelist.com/en/descriptions/old188613

Of course, we are wanting to close the web app holes and using other tools can be of greater coverage and minimally OWASP top 10 is a must to close as they are low hanging fruits.

Interesting how other [3] dissect and discover it and the greater interest this is going to be in exploit kits. I wouldnt want to mess around with it unnecessary since crawler are out there detecting such tools and if website is blacklisted, I see there are greater image to your public site (assuming you going to have it there or even as honeypot type :p)

[3] http://malwaremustdie.blogspot.sg/2012/10/how-far-phpc99shell-malware-can-go-from.html
0
 
LVL 31

Author Comment

by:Frosty555
ID: 38799323
Never seen OWASP before, but it looks pretty interesting. I guess I have some reading to do.

My intention with using C99Shell was to basically attempt to attack my own server using the same tools that I had seen work on it before.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now