Stodge.org

The C99Shell a.k.a. “C99 Shell” is a PHP backdoor script designed to further compromise insecure web-servers. Once installed onto an insufficiently secure server it is able to automatically install a number of wordpress spesific hacks. In addition it can take advantage of the lack of sandboxing in the PHP platform to execute arbitrary OS commands under the user ID of the webserver process.

C99Shell appears as an extra file which is dropped in a random or disguised location somewhere in your web-server. The PHP file contains a ziped, base64 encoded stream which is decoded and then eval’d on the fly. The purpose of this is to obfuscate the file, it’s hard to spot unless you have a method to determine if files have been added to your system. Even though the file is unreadable it’s pretty easy to modify the file so that it prints it’s source-code instead of running it:

Change the “eval” statment at the beginning of the file to an “echo” statement. It will print up the following source-code which I have placed on Pastebin.

By default the C99 Shell can target key vulnerabilities in Wordpres: For example having installed the script an attacker can do a push-button patch on the config-file or the main index.php file. Usually the purpose of these attacks is vandalism or more often to install spam-links.

Detecting the C99Shell is very easy if you installed your Wordpress via SVN. First of all detect and then manually inspect any .php files which have been added to your wordpress installation like this:

svn status | grep ^\?.*php$

Next try to detect files which have changed, it’s possible that these have been patched by the attacker:

svn status | grep ^M

Manually check each one of these files for signs of suspicious additions.

Once you have removed any unwelcome additions to your site, check the following permissions:

• If you still have the hack-file try running it yourself. There are a row of buttons which can be used to install hacks. Hacks which are available but not installed are green. Already installed are yellow and unavailable hacks are red. Now that you are in control you can try out the hacks yourself and get an idea of which files they modify. If you can modify them it means your file permissions are too lax. Try to get all the filesystem security set up right before you permanently delete c99shell.
• Remove group + other write permissions from the wp-include folder and all of the PHP files in the top level of the wordpress installation.
• Ensure that your Wordpress installation, all templates and plugins are installed via SVN. This will enable you to trivially detect and remove any unwelcome modifications in the future.
• You can disable the “eval” function. It’s a dangerous peice of code and I’m pretty sure that it is not required by any legitimate Wordpress component. Use the “disabled_functions” directive in your php.ini

Last night, while most crazy young people are out getting sorted for E’s and whizz, I decided to stay in and migrate the Exciting Hellebore Shew and Epistaxis Archives over to Wordpress. To my dismay it appears that the standard Wordpress RSS importer cannot handle enclosures, so there is no way to import a podcast series.

Rather than cut & paste seventy episodes of Epistaxis Time, I hacked up a new RSS2 importer based on the existing design, but using Magpie RSS to parse the RSS feeds. As a result we have a new parser that is more able to cope with the nuances of RSS2. You can download my code as a SVN diff here: http://svn.stodge.org/wordpress_rss2_import/magpie_rss2_import.diff

In order to make this work you will need a recentish version of Magpie RSS in a folder called ‘magpierss’ somewhere in your PHP search path. Just apply the diff at the root folder of your Wordpress installation. This works best if you got Wordpress via subversion… it’s much easier than downloading and unpacking tgz or zip files.

Working with PHP can be a bowel-churning experience; It is one of the most rubbish computer languages ever devised, because it encourages virtually every bad habit a developer could adopt. Its only saving grace is almost ubiquitous integration with Apache server, however there are plenty of other languages with similar levels of popularity.

Re-visiting PHP, I cannot believe that I ever found pleasure in making a living from coding this language. Were it not for the fact that Wordpress is a 100% PHP application I would never, ever go near it again. PHP, thy names are woe and misery.

Despite the aforementioned reservations, I have struggled against my profound fear of PHP to partially re-factor Marc Nozell’s ‘Yet Another Daily Delicious‘ plugin. In it’s original form, the plugin is capable of incorporating links added during the current day to a Wordpress blog.

I have added the following features:

• Tear support – you can limit the number of items that appear on the wordpress home-page. This means that if you go a bit crazy with adding your links, you can ensure that it does not ruin your layout.
• Deferred Publishing – You can make your daily links start off in a non-published state.
• Clickable Keywords – Takes you through to the correct tag page.
• Tidied-Up Layout – Arguably my version is slightly neater than Mark’s original.

My own code can be found on my Subversion, and is released under the same license as Mark’s original software in the hope that it will be of use to the blogging public. Enjoy and please feel free to publish patches against my subversion offering.

A month after we all agreed to standardise on Zope as our content management system, One of my clients (for some inexplicable reason), has decided to standardise on RHEL3 as the company-wide Linux platform. That would be just great were it not for the fact that no Red-Hat distribution ever (even Fedora) has ever supported any version of Zope, or endorses the use of the Python programming language for anything other than their own up2date rpm management utilities.