NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] XSS, Joomla & Remote Shells

Jon Baer jonbaer at jonbaer.com
Thu Jun 28 20:18:04 EDT 2007 

I think an even worse attack would be what happened to WordPress not  
too long ago, the code itself on the distribution servers was  
tinkered with.  It's a little unfair to point out XSS as being only a  
Joomla issue.  It happens to any software that lingers past even a  
single minor 0.1 upgrade, including C libraries and such.

The bottom line is if you are shared hosting you are leaving  
"security" in the hands of your ISP period.  If you are running your  
own boxes and don't have things like Tripwire or Snort running you  
are going to be unaware of such attacks anyway.

One of better ways to keep up on it is to monitor files like Bleeding  
Edge for software you are running ...

http://www.bleedingsnort.com/bleeding-web.rules

- Jon

On Jun 28, 2007, at 3:21 PM, Ben Sgro ((ProjectSkyline)) wrote:

> Hello again,
>
> I've always had an interest in security. Not too long ago a friend  
> was looking
> into deploying joomla for a client. He's a pentester/researcher for  
> a very well
> educated and influential firm = ] , so he had to make sure it was  
> going to be secure.
>
> He started researching and found that many joomla installs had/have  
> been comprimised
> via XSS attacks.
>
> Today, he posted the link of a site that had been owned by XSS and  
> the crackers installed this
> web based backdoor script.
>
> I grabbed the script and included it here http:// 
> www.projectskyline.com/phplist/r57shell.txt
> to show PHP developers AGAIN how important security is and give us  
> an inside look at
> some of the tools our enemies are armed with.
>
> For those that deploy joomla, this is especially something to watch  
> for.
> For everyone else, just something to checkout.
>
> You'll notice this script enables:
>
> - Mail to be sent out (w/or w/out files attached)
> - Commands to be run.
> - Search for SUID, writable directories, files, tmp files., . 
> (files) ...
> - Outgoing connections to be established
> - Some kind of IRC implementation
> - SQL to be run
> - Files can be downloaded and uploaded
> - and much, much more.
>
>
> - Ben
>
> Ben Sgro, Chief Engineer
> ProjectSkyLine - Defining New  
> Horizons_______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070628/e49ad39e/attachment.html>

More information about the talk mailing list