[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: help needed

I've putted access.log online with the following cutted off:
grep -v "Googlebot/2.1" access.log.1| grep -v ^87.106.31.224|grep -v gallery|grep -v "Yahoo! Slurp"|grep -vi svn |grep -v mediawiki |grep -v "favicon.ico" 

http://jesusch.de/~jesusch/tmp/access.log
at that mentioned time someone at least tried to access pages which are not accessable (index.php?img=1 e.g.) 

ther definately might be a problem in the code:

if ( $_GET['page'] ) {
        include $_GET['page'].'/index.php';
}


could this be the vulnerable code segment?


Arthur de Jong schrieb:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I'm not so aware could someone be so kind to help me with a forensic analysis? I also still do not know which program (propably any php-stuff) was/is vulnerable. 
All I've found so far where these entries in my apache2 error-log.

http://jesusch.de/~jesusch/tmp/error.log
You should check your access logs for entries around Sun Oct 29 20:12:34 2006 to see which requests were done. The vulnerable script is probably in there with a long url with request parameters containting another url.
- -- - -- arthur - adejong@debian.org - http://people.debian.org/~adejong -- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFTvw2VYan35+NCKcRAhzbAKCjD8q5FmORHkwha8DINPrPGs+dcQCeIo5V
yvLamaNolw/ES0y6CzKNQnY=
=BL7J
-----END PGP SIGNATURE-----
Reply to: