NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] XSS, Joomla & Remote Shells

Jon Baer jonbaer at jonbaer.com
Thu Jun 28 22:22:25 EDT 2007 

Just for reference:
http://wordpress.org/development/2007/03/upgrade-212/

BTW, you said it nicely, the point being that many smaller shops  
don't have time for monitoring items that Snort or Tripwire pick up  
(Network Security Monitoring).  Neither do I but staying on top of  
the packages you do run and the available signatures via RSS/email @  
least keep you aware of what is out there.

- Jon

On Jun 28, 2007, at 8:44 PM, Ben Sgro ((ProjectSkyline)) wrote:

> Hello Jon,
>
> Great points.
>
> I think an even worse attack would be what happened to WordPress  
> not too long ago, the code itself on the distribution servers was  
> tinkered with.
>
> Wow, that's really awful. Didn't know about that.
>
>
> It's a little unfair to point out XSS as being only a Joomla issue.
>
> I didn't mean to say Joomla only has XSS problems...in fact, I  
> don't think I did.
>
> I've used snort in the past, and tripwire. I find snort tough,  
> because you have to keep
> up w/the signatures, and thus requires time and attention. In a  
> small company such
> as mine, I'd love to set it up, but I don't have the time to  
> monitor and adjust it.
>
> Plus, snort is not the end all be all. Its signature based  
> detection, and as far as I know
> doesn't address polymorphic code. But snort is a key part to an  
> overall strong detection
> system.
>
> Great link BTW, I haven't messed w/snort in years.
>
> - Ben
>
> Ben Sgro, Chief Engineer
> ProjectSkyLine - Defining New Horizons
> ----- Original Message -----
> From: Jon Baer
> To: NYPHP Talk
> Sent: Thursday, June 28, 2007 8:18 PM
> Subject: Re: [nycphp-talk] [OT] XSS, Joomla & Remote Shells
>
> I think an even worse attack would be what happened to WordPress  
> not too long ago, the code itself on the distribution servers was  
> tinkered with.  It's a little unfair to point out XSS as being only  
> a Joomla issue.  It happens to any software that lingers past even  
> a single minor 0.1 upgrade, including C libraries and such.
>
> The bottom line is if you are shared hosting you are leaving  
> "security" in the hands of your ISP period.  If you are running  
> your own boxes and don't have things like Tripwire or Snort running  
> you are going to be unaware of such attacks anyway.
>
> One of better ways to keep up on it is to monitor files like  
> Bleeding Edge for software you are running ...
>
> http://www.bleedingsnort.com/bleeding-web.rules
>
> - Jon
>
> On Jun 28, 2007, at 3:21 PM, Ben Sgro ((ProjectSkyline)) wrote:
>
>> Hello again,
>>
>> I've always had an interest in security. Not too long ago a friend  
>> was looking
>> into deploying joomla for a client. He's a pentester/researcher  
>> for a very well
>> educated and influential firm = ] , so he had to make sure it was  
>> going to be secure.
>>
>> He started researching and found that many joomla installs had/ 
>> have been comprimised
>> via XSS attacks.
>>
>> Today, he posted the link of a site that had been owned by XSS and  
>> the crackers installed this
>> web based backdoor script.
>>
>> I grabbed the script and included it here http:// 
>> www.projectskyline.com/phplist/r57shell.txt
>> to show PHP developers AGAIN how important security is and give us  
>> an inside look at
>> some of the tools our enemies are armed with.
>>
>> For those that deploy joomla, this is especially something to  
>> watch for.
>> For everyone else, just something to checkout.
>>
>> You'll notice this script enables:
>>
>> - Mail to be sent out (w/or w/out files attached)
>> - Commands to be run.
>> - Search for SUID, writable directories, files, tmp files., . 
>> (files) ...
>> - Outgoing connections to be established
>> - Some kind of IRC implementation
>> - SQL to be run
>> - Files can be downloaded and uploaded
>> - and much, much more.
>>
>>
>> - Ben
>>
>> Ben Sgro, Chief Engineer
>> ProjectSkyLine - Defining New  
>> Horizons_______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070628/7a2be492/attachment.html>

More information about the talk mailing list