marco
blog
Menu:
Lost and found on phishing sites: PHP shells
July 12, 2008
It is not uncommon for phishing pages to be hosted on compromised web servers. When this happens, besides phishing, the web server is used for a variety of malicious activities. We have seen some time ago a case where such a site was hosting an XSS-based botnet tool.
With this post, I'll start a brief series (probably 3-4 installments in total) on the interesting things you can find on web sites that are taken over to host phishing pages. For today, the topic is PHP shells.
PHP shells are PHP scripts that allow one to execute a number of
commands on a remote server through a simple web-based interface. They
are used by attackers to easily manage the compromised server, install
new tools, attack other sites, and so on.
Here is a screenshot of one of these shells (click on the image for a
larger picture):
From what I've seen, the most commonly-used shells are C99Shell, w4ck1ng, N3tShell, Room Hacker shell, SimAttacker, Locus7s, Vop-Cr3W shell, storm7shell, Safe0ver, Enqu!nx, PHPShell, BK-Code Shell, r57shell, K-H shell, HaTeX shell, phpRemoteView, UniXShell, and BLaCkSHeLL. Of many of these shells, multiple versions exist, with changes ranging from simple modding (e.g., adding scrolling text in the header of the page saying "ccpower was here !") to the introduction of new features.
In terms of functionality, the basic commands include file system management (listing of directories, changing the attributes of files), file upload, and command execution on the server. More advanced features allow the attacker to
- connect to databases,
- install trojans,
- inject HTML text (e.g., iframes) into all the web pages on the server,
- attempt a number of exploits (e.g., the Linux race exploit of some time ago), and
- brute-force FTP credentials.
Some shells even have the ability to check for updates and to self-remove from the remote server. At least some people are keeping their software updated...
To leave a comment, complete the form below. Mandatory fields are marked *.
nice article, keep the posts coming