[wp-testers] c99shell.php and uploading php files

Neil Mickelson neil at scottierocket.com
Fri Nov 3 01:55:10 GMT 2006 

That raises an interesting point...in a shared hosting environment (I 
also use Dreamhost), folks may want to consider removing "group" and 
"other" read permissions (in addition to the obvious write permission 
removals). In my case (Dreamhost), doing so did NOT break my Wordpress 
installation (which I was kind of suprised by, frankly).

Your mileage may vary...

Neil

Rafael Rivera Jr. wrote:
> Are you letting the install.php script create wp-config.php? Last I 
> checked, the installer creates this file with 666 perms...
>
> Rafael
>
> Rick Beckman wrote:
>> My host (Dreamhost) said it was a problem with Wordpress or one of its
>> plugins and left it at that.
>>
>> The only files the cracker accessed though were related to login, 
>> dashboard,
>> presentation, theme editor, and c99.php (a name variant of the
>> c99shell.phpscript).
>>
>> I'm not upset with Wordpress--moreso my host for being less than
>> helpful--and was only wondering if it was a possible vulnerability. 
>> If it
>> was strictly password related, it's hard to imagine it happening twice
>> without repeated accesses of the login file.
>>
>> Oh well,
>> Rick :-)
>>
>> On 11/2/06, steve caturan <scaturan at negimaki.com> wrote:
>>>
>>> looks like a local security breach. :) so forward your findings to
>>> your host. they need to work with you to resolve the issue.
>>>
>>> On 11/2/06, Rick Beckman <rick.beckman at gmail.com> wrote:
>>> > Using 2.0.5, I have had my whole hosting account wiped out twice 
>>> via a
>>> user
>>> > being able to upload a script (commonly called c99shell.php) which is
>>> able
>>> > to do a number of malicious things. From what I have seen online 
>>> via a
>>> few
>>> > Google searches, users are able to upload via the File Upload in the
>>> > Wordpress admin without logging in. However, I also noticed in my 
>>> logs
>>> that
>>> > the user was toying around in the Wordpress theme editor, but I 
>>> have no
>>> idea
>>> > what he was doing. And passwords were all changed between the site
>>> > defacings.
>>> >
>>> > So, I'm just writing to confirm whether or not such a thing is 
>>> possible
>>> (i.e.,
>>> > could WordPress be to blame?) and is there a way to forbid the 
>>> uploading
>>> of
>>> > php files?
>>> >
>>> > --
>>> > Rick Beckman
>>> > _______________________________________________
>>> > wp-testers mailing list
>>> > wp-testers at lists.automattic.com
>>> > http://lists.automattic.com/mailman/listinfo/wp-testers
>>> >
>>> _______________________________________________
>>> wp-testers mailing list
>>> wp-testers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>
>> _______________________________________________
>> wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>

More information about the wp-testers mailing list