Hacked – Someone has added files to my server

Viewing 3 replies - 1 through 3 (of 3 total)

  • thats a remote file inclusion attack.

    the referer is not libwww-perl/5.803. Thats the user-agent. It means they used a script. Nothing else, nothing more.

    https://www.frsirt.com/english/advisories/2006/2740/solution

    Are you using randshop?

    PHP 5 mitigates this risk substantially.
    turn register_globals to OFF
    use mod_security
    disallow allow_url_fopen if youre still using PHP 4

    Thread Starter Alex Cragg

    (@epicalex)

    No I’m not, i have other e-commerce on the same host, but not on this domain. What else could be causing the vulnerability? The details talk of index.php, but my index.php is just the standard wp-blog-header include, nothing else.

    You’re right, in my haste to post I didnt realise it was the user agent, not referrer.

    Thanks for the speedy reply.

    Edit: Ok just seen your edit, not too hot on server configuration. I’m still on php 4, where should I be putting that line?

    plus, deleted the folder, nothing happened to my site, so thats a plus!

    heres another quick fix; this wont eliminate the problem completely as some of these script kiddies have caught on and are now adjusting the UA:

    in your .htaccess, disallow that user-agent.

    RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC,OR]
RewriteRule ^.* - [F]

    If I were you, I would be going through my files, trying to locate what I have installed that uses that variable, if anything. If you go through your files and see that that variable isnt being used ANYWHERE, than chances are that THAT log entry doesn’t correspond to the actual successful attack.

    use wingrep (google it) and search **all** your files for that variable above.

    Im off to work, but if you need help email me — I’m unbusy at work for the next 12 or so hours.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked – Someone has added files to my server’ is closed to new replies.