5 comments

[ 2.9 ms ] story [ 22.9 ms ] thread
Poster is spot on that C99 is not very stealth. I remember getting hit with this guy a few months ago -- very easy to diagnose and clean up.
C99 is easy. Finding anything else on the server that the attacker might have touched is not.
How did you get hit by it? I don't understand the attack vector, unless you are allowing php file uploads?
A common way is just script vulnerabilities, allowing execution of arbitrary code. I work at a popular webhosting company, and I've seen cases where apps will execute PHP code inserted as a sooofed User-Agent, POST data, and other weird places. The idea is that you send a payload that executes on the remote host, GETs your shell from some free webhost or another compromised account, and then saves it on the target machine. At that point, you're set.

mod_security can help for people running Apache, and so will using maintained and up to date scripts.