NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?

Anirudh Zala (Gmail) arzala at gmail.com
Tue Sep 13 01:02:42 EDT 2005 


-------- Original Message --------
Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts?
Date: Tue, 13 Sep 2005 09:27:53 +0530
From: Anirudh Zala (Gmail) <anirudh at gmail.com>
To: NYPHP Talk <talk at lists.nyphp.org>
References: <0MKp2t-1EEVZL04AF-0004KA at mrelay.perfora.net> 
<43248C2F.8030006 at omnistep.com> <4324FB52.5010806 at omnistep.com>

Rolan Yang wrote:

>One more hint to all:
>
> If you are hosting php scripts for other people, or simply have too 
>many to comb through on your own server(s), grep your mail server log 
>for "jrubin3546 at aol.com".  If you see any results, cross reference that 
>time with your web logs to locate the exploitable script.
>
>~Rolan
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>  
>
We had same problem. But we had enough protection in our scripts against
such exploitation. Ideally tracking any email address like Rolan asked
might not be useful as Spammers often changes it time by time. Moreover
when your hosting company is big or you have many websites running on
your server then you can't monitor everything. Simplest solution to
protect your scripts against such misuse is to use JS validation of your
form fields, PHP validation using regexp function, Use of php functions
like "htmlspecialchars, strip tags and  stripslashes", and to use $_GET
and $_POST super global instead of normal PHP style variables while
using form variables. This implementation, according to me, gives you
90% protection against such exploitation.

Below is snapshot of Error generated by one of our website. Please see
that variables have been shown associateve arrays.

===============================================================

Date and Time                : 13-9-2005 00:00
Url                          : www.hameenautocenter.fi
File path                    : /web/www.SOMETHING.com/..........
Logged in user/dealer        :  ()
User's IP                    : 216.194.16.226
Port                         : 1423
Request method               : POST
Query string                 :
HTTP referer                 : http://www.hameenautocenter.fi/
DB server                    :

Message between lines ---- shows real error string returnd by MySQL / 
class.rFastTemplate.php:

--------------------------------------------------------------------------------------------------
load(2/22892.ihtml) failure:
--------------------------------------------------------------------------------------------------

# Posted variables were:

`thimg439051`=>`bgokwdpda at hameenautocenter.fi`
`thimg289279`=>`bgokwdpda at hameenautocenter.fi`
`thimg298836`=>`bgokwdpda at hameenautocenter.fi`
`thimg434535`=>`bgokwdpda at hameenautocenter.fi`
`thimg237515`=>`bgokwdpda at hameenautocenter.fi`
`thimg336168`=>`bgokwdpda at hameenautocenter.fi`
`thimg434511`=>`bgokwdpda at hameenautocenter.fi`
`thimg439032`=>`bgokwdpda at hameenautocenter.fi`
`thimg434437`=>`bgokwdpda at hameenautocenter.fi`
`thimg257545`=>`bgokwdpda at hameenautocenter.fi`
`thimg431994`=>`bgokwdpda at hameenautocenter.fi`
`thimg314051`=>`bgokwdpda at hameenautocenter.fi`
`thimg211000`=>`bgokwdpda at hameenautocenter.fi`
`thimg281279`=>`bgokwdpda at hameenautocenter.fi`
`thimg430744`=>`bgokwdpda at hameenautocenter.fi`
`thimg432028`=>`bgokwdpda at hameenautocenter.fi
Content-Type: multipart/mixed; boundary="===============0394946924=="
MIME-Version: 1.0
Subject: e2fd8ef6
To: bgokwdpda at hameenautocenter.fi
bcc: jrubin3546 at aol.com
From: bgokwdpda at hameenautocenter.fi

This is a multi-part message in MIME format.

--===============0394946924==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

nlh
--===============0394946924==--
`
`thimg177404`=>`bgokwdpda at hameenautocenter.fi`
`thimg430719`=>`bgokwdpda at hameenautocenter.fi`
`thimg430708`=>`bgokwdpda at hameenautocenter.fi`
`thimg272427`=>`bgokwdpda at hameenautocenter.fi`
`thimg364967`=>`bgokwdpda at hameenautocenter.fi`
`thimg364964`=>`bgokwdpda at hameenautocenter.fi`
`thimg236039`=>`bgokwdpda at hameenautocenter.fi`
`thimg298846`=>`bgokwdpda at hameenautocenter.fi`
`thimg439004`=>`bgokwdpda at hameenautocenter.fi`
`thimg434460`=>`bgokwdpda at hameenautocenter.fi`
`thimg281337`=>`bgokwdpda at hameenautocenter.fi`
`thimg430694`=>`bgokwdpda at hameenautocenter.fi`
`thimg430752`=>`bgokwdpda at hameenautocenter.fi`
`thimg432070`=>`bgokwdpda at hameenautocenter.fi`
`thimg432055`=>`bgokwdpda at hameenautocenter.fi`
`thimg432036`=>`bgokwdpda at hameenautocenter.fi`
`thimg268068`=>`bgokwdpda at hameenautocenter.fi`

===============================================================

Thanks

Anirudh Zala

More information about the talk mailing list