Yesterday I was putting together some new templates for the webhoneypot project with a focus on PHP shells. Things like r57, c99 and their derivatives. Then I looked at more “mainstream” applications like PHP Shell or PHPTerm and I started wondering: how many unsecured instances of these are there on the web?
The answer: a quick search-engine snooping turned up a couple of hundred (~800) instances. I didn’t check all of them, but the random picks a viewed were not secured by any password. And these are only the instances the search engine has indexed! If somebody would try to guess paths by brute-force on webservers (or potentially look in the robots.txt and check out those directories), I bet that many more instances could be found.
Just so that it doesn’t seem like I’m targeting PHP: urlrepl (a mod_rewrite like addin for older versions of IIS), exposes by default the configuration interface anyone accessing the given webserver. Now, a quick search didn’t turn up any instances, but it is still a bad practice.
So there you have it: hundreds of webservers you can own easily and then do whatever you like (bug all the sites on the machine to infect their visitors, host phising websites, etc). This is a very sad state, but I don’t see how this can get better as long as we are pushing for “ease of use” and most people don’t see value in security...
Picture taken from vanRijn's photostream with permission.