scot wrote:
Hi there,
Not sure if this is proper place to post but here it goes. We got nailed by
someone using c99shell today. They were able to upload and overwrite a bunch
of index files. I am working on discovering how they were able to get it on
our server. Here's some basic info. I am by no means a php expert. Should
things be different? Is there a good paper out there somewhere in regards to
windows / iis5 / php security?
<snip>
Chances are the problem is one of the scripts written in PHP rather than
PHP itself. A good site to check out is http://phpsec.org/ - it has lots
of info and links to more info about PHP security.
Here is also a snip of log (altered IP's and URL) of what I think is the
hack of the site. (I could be wrong)
2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 105 172
HTTP/1.0 www.blah.com Wget/1.9.1 - -
2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 122 297
HTTP/1.1 www.blah.com libwww-perl/5.805 - -
Neither of these look particularly suspicious. Key things to look into
is who has access to your server, who writes the scripts, and whether
there are any scripts that write files to the server based on content
uploaded from users.
Hope that helps.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
