On Sun, April 30, 2006 12:31 am, scot wrote: > Hi there, > Not sure if this is proper place to post but here it goes. We got > nailed by > someone using c99shell today. They were able to upload and overwrite a > bunch > of index files. I am working on discovering how they were able to get > it on > our server. Here's some basic info. I am by no means a php expert. > Should > things be different? Is there a good paper out there somewhere in > regards to > windows / iis5 / php security? I know nothing about c99shell, but I can tell you... > php 4.4.1 > Safe Mode: OFF > Open basedir: none This should be a directory starting with C:\ and ending in a directory where PHP can have a "workspace" to read/write files, and that directory (and sub-dirs) should be exclusively reserveed for PHP data. > Display Errors: ON This is bad on a production server. It exposes too much of your internal workings to Bad Guys. > Short Open Tags: ON Turn them off, not for security, but for compatibility with other servers where they will be off. > File Uploads: ON Do you USE file uploads?... Turn them off, if not. > Magic Quotes: ON This should be off so you can sanitize your input data, and then use http://php.net/mysql_real_escape_string > Register Globals: ON OFF OFF OFF!!! Unless you can guarantee your PHP code is 100% perfect with every variable always initialized, including any PHP software you download/install, then this MUST be turned OFF! > Output Buffering: OFF > Session save path: e:\PHP\sessiondata This may need to be within open_basedir... > Session auto start: 0 > XML enabled: Yes > Zlib enabled: Yes > Disabled Functions: none > > Here is also a snip of log (altered IP's and URL) of what I think is > the > hack of the site. (I could be wrong) > > 2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 > 105 172 > HTTP/1.0 www.blah.com Wget/1.9.1 - - > 2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 > 122 297 > HTTP/1.1 www.blah.com libwww-perl/5.805 - - Errrr. It's unlikely in the extreme that 2 GETs messed you up... And somebody wrote a perl script to do something, but you haven't told us what on that last line... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php