Page 1 of 1

c99 php script

Posted: Tue May 25, 2010 5:06 pm
by gth759k
I logged into my clients server the other day and to my surprise there were several suspicious files there I'd never seen before! The scariest of which was a file called testc99.php. Looking at in a browser was even scarier than looking at it in code. It gave anyone access to my work. After reading up on "Remote File Inclusion" which is often associated with this file, I'm completely confused. First of all, nowhere in my 60k+ lines of code, do I use a $_GET variable to include files in the way that remote file inclusion describes. Second of all, I want to know how it was uploaded to the root directory of the web page. In my site, everything uploaded from within the site goes to one or another sub folders but this script was uploaded directly to the same folder as the index of the whole site. Any clues as to how that was accomplished?

Re: c99 php script

Posted: Tue May 25, 2010 5:27 pm
by Jonah Bron
Can the user pick the filename he wants? Someone might have set it to something malicious like "../testc99.php".

It could also be possible that someone got into your FTP account.

Re: c99 php script

Posted: Tue May 25, 2010 5:31 pm
by gth759k
no, the file name is created by uniqid($username), but I've been going back through all my code and rejecting any file uploads that don't have a jpg, jpeg, gif, or png extention. Hopefully that will help prevent this from happening again.