Eric Butera wrote:
On Fri, Apr 18, 2008 at 2:59 PM, Jim Lucas <lists@xxxxxxxxx> wrote:
in the example code above that is injected into the top of the php scripts,
the eval is evaluating the code that is read from the temp file, the temp
file is never moved or renamed. There for it will be removed when the
script is done.
Looking at the first post:
On Wed, Apr 16, 2008 at 12:13 PM, Al <news@xxxxxxxxxxxxx> wrote:
The hack places this file in
numerous dirs on the site, I assume using a php script because the owner is
"nobody".
From my understanding this means a stand-alone file is written out by
a compromised means. If something else has been said I missed it
along the way! :)
He is referring to the code that he finds at the top of a number of different
files. That is the code that he showed us.
I am talking about the uploaded file.
Maybe we are talking about the two different parts of the this problem.
Problem #1: which I think you are talking about, is to see when the php scripts
are getting modified and that code is injected at the top of them.
This would be a very obvious section of your log file. multiple requests with
the same information, or like some have suggested, maybe there is a CMS involved
and it gives the hacker a method of writing code to each file. It would be nice
to know if there is a CMS involved.
Problem #2: which is what I was talking about, is the actual file that is
posted/uploaded to the infected script and then the contents is eval'ed. That
uploaded file is a temp file and gets deleted at the end of the script execution.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php