Results 1 to 4 of 4
  1. #1

    poorly written PHP, code compromised.

    Instead of me trying to explain it, let me show you the access log:

    "GET /index.php?pg=;;chmod%20777%20bdsun;./bdsun HTTP/1.1

    Obviously this bdsun file was downloaded, and ran on my web server. It along with a file called "fsun" basically bogged our whole network down. Im glad that I caught it before people really noticed.

    First off, does anybody know what this is? I did a quick search on google and couldnt find anything.

    secondly. This user had registered globals turned on, which obviously I turned off and now made him change to using either _POST, _GET or _REQUEST to get the variables.

    The way the site is set up, you link to index.php?pg=page.html to show that page. change page.html to what every page he has on the server. A basic template type engine if you will.

    Will shutting off register_globals for this user and making him use_POST, _GET or _REQUEST keep this from happening again? or should I make him stop pages that way? Does anybody know a good variable checker to make sure that malicious code isnt entered this way?

  2. #2
    Join Date
    Mar 2003
    California USA
    This is a very common thing, some things to do:

    Limit compilers + Fetch apps (lynx, wget, etc) to root only
    Disable php functions =

    disable_functions = system, exec, shell_exec

    in the php.ini

    this will help prevent but it is no 100% fix
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  3. #3
    Join Date
    Jan 2003
    register_globals helps against using [presumably] undefined variables, but that won't do anything here. Linuxguy's suggestions will limit the damage potential from these -- a good idea, since you can't catch them ahead of time.

    Using file_exists() is also good, both because it doesn't work over http and it allows better error trapping. Using readfile() instead of include() will kill exploits like this, but it can still expose sensitive information.

    More drastic, but effective methods include a whitelist -- put all legal page names in an array and use in_array() to see if the request is in there. Another option is to put all page files in one directory and block any and all use of slashes in the incoming file name.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

  4. #4
    my thought was to run all user input through a function to check for odd characters, program names (wget) etc etc.
    I will write one, but I dont want to reinvent the wheel.

    I believe he is using include() to show the file, Ill change em around to readfile(), hopefully that will help out some.

    thanks for the input guys.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts