Posted by Robin Faichney on 04/11/07 18:41
Thanks for all the comments. I've notified the webhost about register
globals being enabled and I've received the following explanation of
what seems to have happened.
"I still think it is
that contact.php page. I am almost certain that the hacking was done
through the website and not FTP or another method. My guess would be
that there is a security flaw somewhere in that contact.php which is
allowing file uploads even though it is disabled. This is backed up by
a
quick search on google for "Free-php-Scripts.net contact.php" (as
that's
the author site given in the script) for which the results are:
http://www.google.co.uk/search?hl=en&q=Free-php-Scripts.net+contact.php&
meta=
One of the entries (there are also other similar ones) is this, which
lists a security flaw in that script:
http://xforce.iss.net/xforce/xfdb/29874
As this is a known vulnerability, hackers probably scanned the
internet
for any site using it that they could compromise. There is also a file
called c99.php on your site which is a script designed to help hackers
do whatever they wish (
http://www.google.co.uk/search?hl=en&q=c99.php&meta= ). My guess is
that
this is the file that was uploaded using the security flaw in the
script. Once this was uploaded, they then used it to upload their
phishing scam etc. You should remove this c99.php file before the site
goes back online and check all other files in case of additional
changes
the hackers made."
--
<http://www.robinfaichney.org/>
Navigation:
[Reply to this message]
|