[scott2500uk]

I currently have a file uploader script on my site and I allow rar and zip files to be uploaded but to my amazment i saw a lot of rar files being uploaded and then saw that they were being extracted revieling php files.

Luckily for me I stop the read access of php scripts in my upload directory so the user was not able to run these php scripts.

What has me stumped is how the user managed to extract these rar files?

does any one know how they might have done that?

Firstly I have no files anyway on my webserver that has unrar functionality.

[Nico]

You need the RAR extension. http://www.php.net/rar

Either that, or you ned an executable which you can call via exec().

[End User]

Quote:

Originally Posted by scott2500uk

I currently have a file uploader script on my site and I allow rar and zip files to be uploaded but to my amazment i saw a lot of rar files being uploaded and then saw that they were being extracted revieling php files.

Your server is likely compromised now. You should have your ISP run a thorough check of the system for backdoors, rootkits, etc etc.

Quote:

Originally Posted by scott2500uk

What has me stumped is how the user managed to extract these rar files?

As Nico mentioned, your server may already have the RAR extension loaded, or the hackers may have previously uploaded files that allowed them to install the RAR extension without your knowledge.

[Nico]

Another thought is, are you sure they extracted the file? Or could they have fooled your uploader by giving the uploaded php file a fake MIME type?

In your script, are you relying on the type value in $_FILES['file']['type'] to verify the files?

[End User]

Quote:

Originally Posted by Nico

In your script, are you relying on the type value in $_FILES['file']['type'] to verify the files?

Also known as "Certain Death".

[scott2500uk]

they didnt fake the mime type as they uploaded a rar file and when i downloaded it it had the c99 shell inside it. Looking in the directory they had uploaded the file to they had managed to extract the c99 file to the same directory as the rar was in.

my webhost provider has looked over the server and nothing seems out of place.

the upload directory was the only place with write permissions so they could only upload files there. they could look at source of my files but not config files as I keep them outside readable directories.

The only bad thing they did was to chmod the upload folder to 0101 so I was unable to use that folder. A quick email to my webhosting provider and they deleted the folder for me.

They must have used an exploit in the cms Im using to run a exec() command to unrar the file they had uploaded. Im sure we have unrar loaded up as cpanel uses that function.

The thing is there is no known exploits in the cms im using for running remote commands.

Im still lost at how they did it.....

Edit: Nico i dont use that method to check file type. I check the extensions used on the file. eg: .jpg .gif etc If any dont match my allowed extensions then the file is blocked.

Plus if any files that are uploaded with these extensions:

$imagetypes = "gif|jpg|png|swf|swc|psd|tiff|bmp|iff|jp2|jpx|jb2| jpc|xbm|wbmp";

I use get_image_size() to check they are actual images not just php files with renamed extensions.