Since you know their IP address(es), have you blocked them in your .htaccess file? Or do they keep moving?

Eliz.

I have blocked the IP!

I am waiting to see if they will try again.

looks like a coppermine gallery hack (- often by automated worms, file.jpg.php) ... make sure you applied recent security updates then you should be fine.

Welcome aboard dunhill.

Well, the IP address is probably a compromised server, so if it's blocked they'll just use a different one they've hacked. These things almost never come from the actual location of the hack but from a compromised box.

The most sure stop to this is to screen your input data and reject anything that isn't supposed to be there. In the case of uploading images, an example might be to use install and use ImageMajick and the perlMagick module, even if no image resizing occurs. Perl example below, with $imgPath representing the virtual path to the uploaded file. This might be a little complicated but it's one of the things you have to do to slow these attacks down.

Although image files and virus files are both binary data, what you'd do is create a list of acceptable types,

%formats = ('Tagged Image File Format', 'tif', 'Adobe PostScript', 'eps', 'Joint Photographic Experts Group JFIF format', 'jpg', 'CompuServe graphics interchange format', 'gif', 'Microsoft Windows bitmap image', 'bmp');

# and immediately upon upload ask ImageMagick to give you the type

use Image::Magick;
$pic = Image::Magick->new;
$x =$pic->Read("$imgPath");
$IMformat=$pic->GetAttribute('format');

## $x is the internal error from perlMagick. Most likely
## a non-image format will return an error in $x,
## but sometimes it won't, hence the second check
## for defined types.
if (($x) or (!$formats{$IMformat})) {
unlink $imgPath; ## Delete it
&error("Not a valid image format");
}

... Where your &error subroutine gives an appropriate message and exits.

This still has a problem - viruses embedded in image files can still get through, but this can slow down some of the attacks. And sometimes that's the best we can do, put enough thorns in their toes to make them give up and go away. :-)

rocknbil's idea is great!

You may also be able to easily deny any file that contains ".php" by simply checking the file name before allowing the upload, if the nature of these attacks is consistent.

There is also a utilty called pil that converts images at time of upload. You can use this to convert all images uploaded to a safer format that won't run executable code.