Posted by Al Kolff on 04/17/07 21:50

"Robin Faichney" <robin@robinfaichney.invalid> wrote in message
news:saaq13ta1h3jvn4rnm8nvog2qku6vhjuh8@4ax.com...
> Thanks for all the comments. I've notified the webhost about register
> globals being enabled and I've received the following explanation of
> what seems to have happened.
>
> "I still think it is
> that contact.php page. I am almost certain that the hacking was done
> through the website and not FTP or another method. My guess would be
> that there is a security flaw somewhere in that contact.php which is
> allowing file uploads even though it is disabled. This is backed up by
> a
> quick search on google for "Free-php-Scripts.net contact.php" (as
> that's
> the author site given in the script) for which the results are:
> http://www.google.co.uk/search?hl=en&q=Free-php-Scripts.net+contact.php&
> meta=
>
> One of the entries (there are also other similar ones) is this, which
> lists a security flaw in that script:
> http://xforce.iss.net/xforce/xfdb/29874
>
> As this is a known vulnerability, hackers probably scanned the
> internet
> for any site using it that they could compromise. There is also a file
> called c99.php on your site which is a script designed to help hackers
> do whatever they wish (
> http://www.google.co.uk/search?hl=en&q=c99.php&meta= ). My guess is
> that
> this is the file that was uploaded using the security flaw in the
> script. Once this was uploaded, they then used it to upload their
> phishing scam etc. You should remove this c99.php file before the site
> goes back online and check all other files in case of additional



> changes
> the hackers made."
> --
> <http://www.robinfaichney.org/>

Robin,
While I love PHP this is one of those times it might pay to use perl along
with php. Contact pages and forms are gateways to all kinds of problems.
"nms formmail" works great and is fairly secure.( Just don't emulate matts
formmail or turn off the security features.

To protect your self from the scriptkiddies rename your scripts and files
and modify your code to match. How do I know these things? Being black
listed is no picnic to overcome.

God bless,
al

• Next in forum: Re: Printing Avery Labels from a web site
• Prev in forum: Re: best practices confusion between framework v.templating ?
• Thread view: Re: Unwilling phishing site host

[Reply to this message]