Server compromised Zen-Cart "record company" Exploit

Bogdan Webb bogdan at
Mon Feb 1 17:19:50 UTC 2010

Indeed it's pretty tricky with safe_mode, like for certain i know that a
version of a popular r57 shell had safe_mode bypass - i was stunned to check
the shell myself on my server... and i was thinking that safe_mode is
enough... (+ i was using the suhoshin patch *witch in fact does nothing
regarding straightening the php) then i came over suhoshin the addon (witch
on my BSD with lighttpd it could be loaded only using Zen framework... for
unknown reasons to me) the suhoshin was configured to blacklist some basic
commands that allow php to directly run shell commands:

suhosin.executor.func.blacklist =

thus even if hackers find bugs in some php apps it would be harder to get a
shell... i say harder because it's impossible to prevent that - there are
mysql ways to get shell and so on ... so it's not 100% foolproof, but it's

here's some examples on how suhoshin alerts the attacks:

Jan  2 02:17:00 pgn suhosin[75216]: ALERT - tried to register forbidden
variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker
'', file '/usr/home/wwww/pgnlinks/index.php')

Dec 16 23:43:36 pgn suhosin[87560]: ALERT - function within blacklist
called: shell_exec() (attacker '', file
'/usr/home/wwww/pvpwww/junkforum/Sources/Subs.php', line 3531)

*note - these are logs from /var/log/messages and the last message is a
false-positive (i thinks it's called that way) it's a basic function of SMF
board to check the DNS with a linux command, but i just wanted to point out
how it handles the blacklist...

here's a more detailed info regarding attacks (attempts) stored in the
webserver's log file (in my case lighttpd):

2010-01-19 02:21:53: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL
chars not allowed within request variables - dropped variable 'list'
(attacker '', file '/usr/home/wwww/pgnlinks/index.php')
2010-01-19 02:21:54: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL
chars not allowed within request variables - dropped variable 'c' (attacker
'', file '/usr/home/wwww/pgnlinks/index.php') - [19/Jan/2010:02:20:43 +0200] "GET
/index.php?list= HTTP/1.1" 302 0 "-"
"Mozilla/3.0 (compatible; Indy Library)" - [19/Jan/2010:02:20:43 +0200] "GET /index.php?c= HTTP/1.1" 200 3304 "-" "Mozilla/3.0
(compatible; Indy Library)" - [19/Jan/2010:02:21:53 +0200] "GET
HTTP/1.1" 200 3307 "-" "Mozilla/3.0 (compatible; Indy Library)" - [19/Jan/2010:02:21:54 +0200] "GET
HTTP/1.1" 200 3306 "-" "Mozilla/3.0 (compatible; Indy Library)"

My server has safe_mode off - bcoz it's not needed (at least in my mind... i
might be mistaking) and check out the phpinfo.php file i've got and see the
suhoshin settings....

stay safe!

More information about the freebsd-questions mailing list