If the url is such a problem, then why not use POST instead of GET? And if
there is a problem of debugging what pages are being viewed, then use

print_r($_POST);

to see what was loaded.

-Josh


-----Original Message-----
From: tclug-list-bounces at mn-linux.org
[mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Wayne Johnson
Sent: Saturday, March 06, 2004 2:07 PM
To: tclug-list at mn-linux.org
Cc: kent at structural-wood.com
Subject: Re: [TCLUG] Attack


We've found this guy has been probing us for several days, from IP address
from the Phillipines, Brazil, France, Texas, and who knows where else.
Looks like he has a whole network of hiding places.

The URL of the site would contain strings like
http://index.php?body=mrnelson.php.  This made it pretty obvoius that this
was being used to include further text.  I believe the same problem was
found in PHPNuke, so it's not that original (sorry, Doug).

PHP isn't evil, but it sure makes it a lot easier to shoot off your own
foot.

Kent Schumacher said:
>
>
> strayf at freeshell.org wrote:
>> On Sat, Mar 06, 2004 at 12:03:16AM -0600, Matthew S. Hallacy wrote:
>>
>>>On Fri, Mar 05, 2004 at 10:46:09PM -0600, Wayne Johnson wrote:
>>>
>>>
>>>>We all learn something everyday...  Especially with Linux.
>>>
>>>I hope one of the lessons learned is that PHP is evil.
>>
>>
>> I think the lesson is more that anything which is both easy and
>> powerful is also dangerous. PHP isn't evil, you just have to keep your
>> eyes open.
>>
>> -Steve
>
> If I'm understanding what happened correctly, Pastor Doug Coats made a
> PHP programming error, which resulted in a *unique* security hole on his
> system.
>
> Someone, possibly from the Phillipines, then discovered this hole and
> used it to grab the passwd file.
>
> My question is, how was the hole detected?  How long was the hole open
> before it was discovered?  Is there something that made detecting the
> hole easy or ???
>
> Is cracker detection coverage of the web really as complete as this
> incident seems to imply?
>
> Kent
>
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list




_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list