Posted by C. on 04/11/07 09:34

On 11 Apr, 09:38, Robin Faichney <r...@robinfaichney.invalid> wrote:
> On Tue, 10 Apr 2007 19:33:08 GMT, "Steve Belanger"
> <desk...@ebinformatique.com> wrote:
> >if your site somewhere has an upload features, if it's not protected against
> >specific filters, i believe that somebody can upload a php file that way and
> >execute it once its' uploaded.

Not necessarily, just having a file upload script does not necessarily
mean it can be abused. Also, this is not the only route by which a
blackhat can get their code running on your site.

If possible, I would recommend downloading all the files from the site
and comparing with a known 'good' copy to try to identify anything
which has been modified. You should search the code from the server
for any include/require/include_once/require_once which has a non-
literal argument.

>From your config you have register globals enabled - this is bad.

> I have some more info now. We were using the PHP contact script fromhttp://www.free-php-scripts.net/P/Contact_Formwhich includes file
> upload facilities, though that option was switched off in the config
> file. The PHP version is actually 4.4.6, and its config details can be
> seen athttp://www.theinvisibleeye.org/info.php
>
> Is there anyone in this group who could look at this and check whether
> that PHP installation is vulnerable and/or that script could somehow
> have been used to upload even though the option was off? Or is there a
> more appropriate group for such questions?

It is far more likely that the attacker is targetting a vulnerability
in the code you are using - either the contact form (if this uses
email, there are several attacks including header injection which can
be used against such forms) or even on the webserver or operating
system itself.

You're first port of call would probably be the author(s) of the
contact form thingy.

HTH

C.

[Back to original message]