Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security - getting scripts inserted into log file 1

Status
Not open for further replies.
oppcos

oppcos

Programmer
Dec 1, 2004
209
US
Hi all,
I have a modest little PHP server running that gets a lot of junk traffic. Recently I noticed that someone had somehow inserted the entire contents of PHPSHELL.PHP into my log file. There was no warning message or date stamp or anything around the entry so it has concerned me as to A) how they did it? and B) what was the purpose of doing it?

My log files are not, of course, browseable through the web server so they shouldn't have been able to execute it from there. Was this an attempt to upload it somehow to another place but that failed (or *gulp* succeeded)?

Never saw anything like this before and wanted to know, have you experts had experience with it and advice on how to guard against it?

Thanks!
 
Sort by date Sort by votes
A) how they did it?
Click to expand...
Insufficient data for a meaningful answer. We'd have to know your site and how it works before theorizing.

B) what was the purpose of doing it?
Click to expand...
To gain shell access to your server. After that, the asshol miscreant could then use your server for all kinds of nefarious things. See (or just do a Google search on the term phpshell.php hacking) for comments as to the grief some people have caused using either the script you found or one similar.

have you experts had experience with it and advice on how to guard against it?
Click to expand...
I have not had specific experience, but I have heard of this. In every case, it was some software flaw that allows the upload and execution of a file. Check all your software vendor sites and make sure you're not running vulnerable software or software that is configured in a less-than-secure way. The site has some user-supplied comments that might be useful in a more general way.



Want the best answers? Ask the best questions! TANSTAAFL!
 
Upvote 0 Downvote
After looking more closely at the log I realized that the warning from the line above that script entry was actually continuing beyond the new line. Someone was attempting to execute a SQL vulnerability against a php file that runs a SQL select statement, but the php file filtered against the attack so we got a big fat failure message instead that contained the contents of the attack (AKA the PHPSHELL.PHP file). [surprise]

Good news is I guess I'm OK (though I think I'll decrease the size limit available to POSTing to that page just to be safer). I thought it was much worse because the new line threw me off making me believe it was just magically appearing in the log. Just my inexperience, but I guess I'd better improve faster if I'm to survive something as public and dynamic as the Internet. :)

Thanks for the advice!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
233
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
unwanted spaces inserted into the middle of php-generated html email body 1
Replies
2
Views
115
PeDa
PeDa
Brianfree
  • Locked
  • Question
split file name into different values
Replies
1
Views
116
spamjim
spamjim
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
140
Gerrit Broekhuis
Gerrit Broekhuis
chrisjchrisj
  • Locked
  • Question
Can you tell me if this file outputs a subcategory page?
Replies
3
Views
117
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top