poeple manage to upload a file in to a directory they shouldn;t, which has a gif extension, but is really javascript. then they run the file and it adds code to index.php for instance. this happened to me on coppermine gallery a while ago. ________________________________ From: Davide Baglieri <davidonzo@xxxxxxxxx> To: php-objects@xxxxxxxxxxxxxxx Sent: Saturday, 10 July, 2010 19:29:30 Subject: Re: My website had been hacked many times. ironshell is a web based php shell. If someone, using a bugged upload form, is able to upload the shell on your web space, he will take the power of any file and directory. It's easy, after uploading the shell, edit the index file and upload any other image or malicious script. I suggest you to debug any upload form before you re-open the website. On 10 July 2010 20:14, Sovichea SOU <svch_sou@xxxxxxxxxxx> wrote: > > > > I already requested my hosting provider to check server log. > > Well, I see other file. It is ironshell.php > > Any more idea? > > Thanks. > > Vichea > > On Sun, Jul 11, 2010 at 12:58 AM, Davide Baglieri <davidonzo@xxxxxxxxx>wrote: > > > Not only the index file was modified, but some file has been uploaded > > to the server: http://elt.edu.kh/1.gif > > > > I just can success you to look the server logs and find when and how > > the file 1.gif has been uploaded to the server. > > > > On 10 July 2010 19:54, Sovichea SOU <svch_sou@xxxxxxxxxxx> wrote: > > > Here it is: elt.edu.kh > > > I rename hacked file to http://elt.edu.kh/index_old.htm > > > > > > Thanks. > > > > > > > > > > > > On Sun, Jul 11, 2010 at 12:50 AM, Davide Baglieri <davidonzo@xxxxxxxxx > > >wrote: > > > > > >> > > >> > > >> Can you link us the hacked website? > > >> There is any public upload form? > > >> > > >> Maybe someone upload a C99 shell. > > >> > > >> > > >> > > > > [Non-text portions of this message have been removed] > > ------------------------------------ Are you looking for a PHP job? Join the PHP Professionals directory Now! http://www.phpclasses.org/jobs/ Yahoo! Groups Links [Non-text portions of this message have been removed]
