On a Hacker's trail

Written by - 2 comments

Published on - Listed in Internet Linux PHP Hacks

During the last days I've noticed a weird behavior on one of a web server I manage. It all started with an abnormal utilization of system resources - but no further evidence was detected. Until I saw weird processes running as Apache user which shouldn't be there:

www-data 10979  0.0  0.0  23672  3788 ?        S    Jan19   0:00 /usr/sbin/cron
www-data 11005  0.0  0.0  22744  3396 ?        S    Jan19   0:00 /usr/sbin/httpd
www-data 28561  0.1  0.1  23564  4436 ?        S    09:12   0:24 /sbin/log

There were several different processes at different times of the day but I won't list them all now. Even a Linux novice will see that these processes don't fit in so where the hell did they come from? That they've been started by a web browser is obvious but the difficult thing is to find the exact method for about 300 websites on that server.

After some research in the right files I found this: - - [24/Jan/2011:09:12:42 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837" - - [24/Jan/2011:09:12:44 +0100] "POST /catalog/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 13142 "-" "libwww-perl/5.837"

This clearly shows the POST method which was used to upload files into a chmodded 777 directory. After a manual check of the web account's files and websites this turned out to be an OSCommerce webshop. The hacker used a security vulnerability of this web-application to be able to upload anything he wanted to - which turned out to be STUNSHELL. A kind of small hacking-webpage built with tools and scripts to execute on the attacked server.


I hope this information can help any administrator out there who finds such processes mentioned above running on his system. My research on the Internet didn't get me any results. Watch out for files named like these


These are typical files used by the discovered STUNSHELL. Already if some customers on your webserver uses OSCommerce, administrators should be very careful!

Add a comment

Show form to leave a comment

Comments (newest first)

Claudio from Switzerland wrote on Jul 12th, 2011:

The hacker used the vulnerability of OSCommerce to upload files to the server - as mentioned. Stunshell isn't a real shell, it's a very smart php script using several files. Once these files are all on the server, the 'shell' can be launched via browser.

Paul from Ausralia wrote on Jul 12th, 2011:

Any idea how the stunshell got there in the first place?