Published on
July 29, 2009 in
General.
Binky and Boo was a 1988 animated short directed by Derek Hayes (the same guy who did the rather spooky “Skywhales“) . I’ve not yet found a copy of it on the Internet anywhere, but I did find a brief reference to the film in a Google scan of an animation text-book.
It’s the life story of a music-hall double-act at the end of their clowning careers: I seem to remember that the animation presents a sort of potted biography of the clown’s lives in the form of scenes from their painful lives as remembered from Binky’s scra-book.
I saw it only once it as part of a Channel 4 animation festival that was broadcast in the early 90’s. I remember thinking that the animation was very funny and wished that I’d had recorded it on my VCR. I’ve been looking for a copy of it ever since but it does not seem to be on sale in any format, and amazingly this animation does not seem to be anywhere on the internet.
Unfortunately “Binky” and “Boo” seem to be very common names for cats in America, so a search of the internet yields nothing but pictures of other people’s feines. I want to see animated clowns: Perhaps Mr. Hayes or one of his former associates would like to upload this animation to a video sharing service so that we can all enjoy it again. I think this funny short deserves to be seen.
Published on
July 24, 2009 in
PHP.
The C99Shell a.k.a. “C99 Shell” is a PHP backdoor script designed to further compromise insecure web-servers. Once installed onto an insufficiently secure server it is able to automatically install a number of wordpress spesific hacks. In addition it can take advantage of the lack of sandboxing in the PHP platform to execute arbitrary OS commands under the user ID of the webserver process.
C99Shell appears as an extra file which is dropped in a random or disguised location somewhere in your web-server. The PHP file contains a ziped, base64 encoded stream which is decoded and then eval’d on the fly. The purpose of this is to obfuscate the file, it’s hard to spot unless you have a method to determine if files have been added to your system. Even though the file is unreadable it’s pretty easy to modify the file so that it prints it’s source-code instead of running it:
Change the “eval” statment at the beginning of the file to an “echo” statement. It will print up the following source-code which I have placed on Pastebin.
By default the C99 Shell can target key vulnerabilities in Wordpres: For example having installed the script an attacker can do a push-button patch on the config-file or the main index.php file. Usually the purpose of these attacks is vandalism or more often to install spam-links.
Detecting the C99Shell is very easy if you installed your Wordpress via SVN. First of all detect and then manually inspect any .php files which have been added to your wordpress installation like this:
svn status | grep ^\?.*php$
Next try to detect files which have changed, it’s possible that these have been patched by the attacker:
svn status | grep ^M
Manually check each one of these files for signs of suspicious additions.
Once you have removed any unwelcome additions to your site, check the following permissions:
- If you still have the hack-file try running it yourself. There are a row of buttons which can be used to install hacks. Hacks which are available but not installed are green. Already installed are yellow and unavailable hacks are red. Now that you are in control you can try out the hacks yourself and get an idea of which files they modify. If you can modify them it means your file permissions are too lax. Try to get all the filesystem security set up right before you permanently delete c99shell.
- Remove group + other write permissions from the wp-include folder and all of the PHP files in the top level of the wordpress installation.
- Ensure that your Wordpress installation, all templates and plugins are installed via SVN. This will enable you to trivially detect and remove any unwelcome modifications in the future.
- You can disable the “eval” function. It’s a dangerous peice of code and I’m pretty sure that it is not required by any legitimate Wordpress component. Use the “disabled_functions” directive in your php.ini
http://pastebin.com/f1ca32742