Comments on: Script kiddies have awesome tools http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/ no buzzwords allowed Wed, 10 Mar 2010 17:47:15 -0500 http://wordpress.org/?v=2.9 hourly 1 By: read this http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-20955 read this Fri, 06 Nov 2009 19:56:46 +0000 http://dow.ngra.de/?p=413#comment-20955 Dman script kids, they got my WP infected with the "eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf" crap, and never new what the hell it was behind it. I always kept deleting and reinstalling WP until I got the idea to change ALL my passwords and do a clean install. That took care of them. Since then I always upgrade. Dman script kids, they got my WP infected with the “eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf” crap, and never new what the hell it was behind it. I always kept deleting and reinstalling WP until I got the idea to change ALL my passwords and do a clean install. That took care of them.
Since then I always upgrade.

]]> By: Dennis Yusupoff http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-19199 Dennis Yusupoff Thu, 01 Oct 2009 09:11:59 +0000 http://dow.ngra.de/?p=413#comment-19199 I've got compromize my website even after installed mod_security. Moreover, php.ini has a lot of hardening options: [code] disable_functions = exec,system,shell_exec,passthru,phpinfo,proc_open,popen,shows_source allow_url_include=0 allow_url_fopen=0 enable_dl=0 [/code] and in apache conf set "php_admin_value open_basedir /usr/local/www/site:/usr/local/php"! Thanks god, ClamAV knows about this script: [code] /usr/local/www/forum.site/httpdocs/c99.php: PHP.Rst-1 FOUND /usr/local/www/forum.site/httpdocs/cache/drfgtt.php: PHP.Rst-1 FOUND /usr/local/www/forum.site/httpdocs/xs_mod/images/index.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/shop/images/other/prodaves/owertime.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/shop/smarty/internals/lool.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/shop/smarty/plugins/conf.phpmodifier.uppers.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/reviews/rc_models/Protech_Razor/thumbnails/c99.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/reviews/rc_models/Reflex_XTR/c99.php: PHP.Rst-1 FOUND /usr/local/www/site/httpdocs/SHIP/mod.php: PHP.Rst-1 FOUND [/code] I’ve got compromize my website even after installed mod_security. Moreover, php.ini has a lot of hardening options:
[code]
disable_functions = exec,system,shell_exec,passthru,phpinfo,proc_open,popen,shows_source
allow_url_include=0
allow_url_fopen=0
enable_dl=0
[/code]

and in apache conf set “php_admin_value open_basedir /usr/local/www/site:/usr/local/php”!

Thanks god, ClamAV knows about this script:
[code]
/usr/local/www/forum.site/httpdocs/c99.php: PHP.Rst-1 FOUND
/usr/local/www/forum.site/httpdocs/cache/drfgtt.php: PHP.Rst-1 FOUND
/usr/local/www/forum.site/httpdocs/xs_mod/images/index.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/shop/images/other/prodaves/owertime.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/shop/smarty/internals/lool.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/shop/smarty/plugins/conf.phpmodifier.uppers.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/reviews/rc_models/Protech_Razor/thumbnails/c99.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/reviews/rc_models/Reflex_XTR/c99.php: PHP.Rst-1 FOUND
/usr/local/www/site/httpdocs/SHIP/mod.php: PHP.Rst-1 FOUND
[/code]

]]> By: B http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-18981 B Thu, 24 Sep 2009 13:31:38 +0000 http://dow.ngra.de/?p=413#comment-18981 Yeah I recently found a similar thing on a compromised site. It called itself "Locus7s Modified c100 Shell". It had the expected stuff like a file manager and self removal stuff but it also had some hardcore features for privilege escalation and kernel attacks. I was surprised at how advanced some of it was. Yeah I recently found a similar thing on a compromised site. It called itself “Locus7s Modified c100 Shell”. It had the expected stuff like a file manager and self removal stuff but it also had some hardcore features for privilege escalation and kernel attacks. I was surprised at how advanced some of it was.

]]> By: BEWERK | web dingetjes http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-12247 BEWERK | web dingetjes Mon, 18 May 2009 20:37:16 +0000 http://dow.ngra.de/?p=413#comment-12247 [...] Script kiddies have awesome tools | dow.ngra.de. Categories: Besturings systemen, IT - Tags: [...] [...] Script kiddies have awesome tools | dow.ngra.de. Categories: Besturings systemen, IT – Tags: [...]

]]> By: Tagz | "Script kiddies have awesome tools | dow.ngra.de" | Comments http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-12088 Tagz | "Script kiddies have awesome tools | dow.ngra.de" | Comments Sat, 16 May 2009 16:55:36 +0000 http://dow.ngra.de/?p=413#comment-12088 [...] [upmod] [downmod] Script kiddies have awesome tools | dow.ngra.de (dow.ngra.de) 3 points posted 6 months, 1 week ago by SixSixSix tags imported programming [...] [...] [upmod] [downmod] Script kiddies have awesome tools | dow.ngra.de (dow.ngra.de) 3 points posted 6 months, 1 week ago by SixSixSix tags imported programming [...]

]]> By: Mitty Stone http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-5686 Mitty Stone Fri, 30 Jan 2009 10:21:12 +0000 http://dow.ngra.de/?p=413#comment-5686 Shell creator site http://madnet.name/files/1/10.html Shell creator site
http://madnet.name/files/1/10.html

]]> By: Toomas Römer http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-3768 Toomas Römer Tue, 25 Nov 2008 18:38:35 +0000 http://dow.ngra.de/?p=413#comment-3768 @Flux Cool product, seems to be a firewall for HTTP :) Had not heard about it before. @Flux Cool product, seems to be a firewall for HTTP :) Had not heard about it before.

]]> By: Flux http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-3765 Flux Tue, 25 Nov 2008 17:28:30 +0000 http://dow.ngra.de/?p=413#comment-3765 Not sure if it would have helped in this case, but run your web applications behind an application firewall like ModSecurity (http://www.modsecurity.org). If you do use an app firewall, make sure that is actually blocking bad stuff and not just logging that it happened. Not sure if it would have helped in this case, but run your web applications behind an application firewall like ModSecurity (http://www.modsecurity.org).

If you do use an app firewall, make sure that is actually blocking bad stuff and not just logging that it happened.

]]> By: Bert Heymans http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-3130 Bert Heymans Wed, 05 Nov 2008 10:50:47 +0000 http://dow.ngra.de/?p=413#comment-3130 Thanks for the Wordpress security awareness! Thanks for the Wordpress security awareness!

]]> By: Toomas Römer http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/comment-page-1/#comment-3129 Toomas Römer Wed, 05 Nov 2008 07:23:26 +0000 http://dow.ngra.de/?p=413#comment-3129 @Jon There is a link in the reddit thread, http://www.reddit.com/r/programming/comments/7bcsj/script_kiddies_have_awesome_tools/ @Jon There is a link in the reddit thread, http://www.reddit.com/r/programming/comments/7bcsj/script_kiddies_have_awesome_tools/

]]>