PHP attack through url

Question

my website was recently attacked and in the log i found some requests like :

I found some suspicious files and folders in my root directory and someone has written on home page that "you are hacked".

one of the folder is "lentenfish" having files like "sql.php" , "cof.pl" , ".htaccess" ,"jen.jeen"

mysite.com/view_news.php?id=-999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

and

/?<'IMG SRC="javascript:alert(cross_site_scripting.nasl);">

and

/?ho+{COMPLETE_VERSION}

and

/admin/?email=../admin/noop.cgi?foo=bar&test=blah

and

/admin/?password=../../../../../../../../windows/win.ini

and many more :(

i don't know where the problem is and how to solve.

My website is written in php and the backend is MySql.

So Please help me out in solving this.

Thanks !

possible duplicate of [Best way to defend against mysql injection and cross site scripting](http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scripting) — Quentin, May 09 '11 at 11:44

score 3 · Accepted Answer · answered May 09 '11 at 11:48

The first one is an attempt at SQL injection The second is snooping for XSS (Cross-Site-Scripting) vulnerability. Not sure about the third, but the others look like snooping for admin passwords.

You might want to just read up server and browser securty. This could be an automated attack, but it's important to be aware of these issues.

score 1 · Answer 2 · answered May 09 '11 at 11:48

The hacker has injected code into a dynamic include in your page using a technique called Remote File Inclusion. Its likely your view_news.php file has an include that doesn't 'exclude' anything that you don't want people to view. Make a list of all the pages allowed to be included in view_news.php and simply do nothing if anything else is used.

score 1 · Answer 3 · answered May 09 '11 at 11:51

1

This doesn't show a problem. It shows that an automated scanner is trying to find a problem using well-known bugs in PHP apps at standard install locations. What makes you think there's a problem?

answered May 09 '11 at 11:51

Mel

6,077
1
15
12

2

i found some suspicious files and folders in my root directory – Adil Shaikh May 09 '11 at 11:56

score 0 · Answer 4 · answered May 09 '11 at 11:51

0

Do you know if there was any actual damage done?

To me that seems to be so-called fuzzing, where an attacker uses a script to automatically scan for vulnerabilities that might be there in the hopes of getting lucky. If this is the case you don't really have anything specific worry about, even though you should use safe code practices to avoid a successful attack.

Did you write the script yourself? If no, try to upgrade to the latest version. If yes, learn about different kinds of vulnerabilities to protect yourself from attacks.

answered May 09 '11 at 11:51

nitro2k01

7,627
4
25
30

1

Fuzzing [link](http://searchsecurity.techtarget.com/definition/fuzz-testing) is a more advanced technique that creates structured yet random input in order to induce a buffer over/underflow or another parsing error. This is just an automated analysis tool working on known urls. – Andrew Russell Apr 19 '13 at 00:23

score 0 · Answer 5 · answered May 09 '11 at 11:51

You first need to find out which of those requests actually caused your website to be hacked. Script kiddies use automated programs to try to break into websites using known vulnerabilities. Therefor, it is very common to see these kinds of requests in your log. If you were hacked then you need to find out what request is responsible and which requests are just automated tests that did not succeed.

PHP attack through url

5 Answers5