Portal Home > Knowledgebase > Articles Database > PHP exploit
PHP exploit
Posted by The Critic, 11-24-2007, 11:51 PM |
My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They cant give me anymore information and I dont know where else to look.
This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx.
Details of the event follow:
3885: HTTP: PHP File Include Exploit
This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application.
Thanks.
|
Posted by Dave W, 11-24-2007, 11:53 PM |
They didn't give you any more information?
An example of the actual execution would have been nice.
|
Posted by The Critic, 11-24-2007, 11:56 PM |
No, that is what they provided. They also provide links to examples of PHP file include attacks, but not from my server. I can't post them as I'm a new user here.
|
Posted by Dave W, 11-24-2007, 11:59 PM |
If they provided an example like index.php?http://somewebsite.ru/hack.txt
you could do a
grep "hack.txt" /etc/httpd/domlogs/*
but without more information you almost have to check every site on the server..
A good place to start would be the /tmp directory
|
Posted by The Critic, 11-25-2007, 12:01 AM |
tmp is clear.
|
Posted by The Critic, 11-25-2007, 12:07 AM |
These are the links they provided as examples:
http://www.derkeiler.com/Mailing-Lis...5-05/0237.html
http://www.securityfocus.com/bid/14028
http://www.osvdb.org/displayvuln.php?osvdb_id=3592
|
Posted by Dave W, 11-25-2007, 12:10 AM |
start with
grep "include/common.php" /etc/htppd/domlogs/*
then
grep "php?root_dir=" /etc/httpd/domlogs/*
The other one is Cacti, Are you running a copy of Cacti?
|
Add to Favourites Print this Article
Also Read