My site hockeysnack.com has been under hacker attack lately. Well, it is constantly under attack by bots but this time the site was targeted by a real hacker. The hacker first signed up as a regular user with the clever username ”putinn” and then he started to upload various scripts wherever he could.
Uploading php-scripts is forbidden (in code) so he tried to upload the script as other file formats. This is what he tried to upload:
Fortunately I had already written protection against such attacks so the hacker had no luck and went somewhere else. When I found out about the attack I started to investigate it further. The attack uses the eval(base64_decode( attack vector, the same as I discovered earlier. For fun and curiosity I ran the attack code in a sandbox environment. What shoved up was a shell called n3tshell.
It contains so many features, like brute force ftp and sql querying etc. The image above shows the menu and a complete file browser which could edit/delete/create files.
This picture above shows more features. The attacker can execute all commands that are available for the user running the web server process. He could also upload files and do much more. It is a very powerful tool if the hacker manages to get the script running on the server.
The conclusion is to take ”submit/upload” threat very seriously. Everything that a user could submit to your site has to be checked for EVERY POSSIBLE attack vector.