Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with "nobody" ownership, so it's obvious stuff is
not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
<!-- SNIP -->
First off, file type means NOTHING to people using uploaders. I have had
a number of people try to hack my site with my uploader and they never
succeed.
If you don't parse the first few lines of the file, you're probably
gonna find yourself hacked again. Depending on the size of the machine,
you could just read the whole file and look for php somewhere in it, and
if it exists, erase immediately.
image.php.gif.jpg would pass your test as far as checking extensions.
I have a number of the scripts used by others to try to hack my site
available for download/review. If you search the archives, you should
find them. If not, contact me directly and I'll send you the link to them.
HTH,
Wolf
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
