Possible Intrusion?

Hotkey

Hi all!

I've got a question about a possible intrusion with my current page.
I'm logging all errors or access for all php sides which are accessable on my web project.
Besides the spiders which are cauling different pages (without the necessary id's which are delivered via GET or POST) i also have frequently accesses, which are submitting various http links to my GET values.

For example, i have a page which displays photo albums, the "photo_album_id" is submitted via GET. On other pages i've values like "code_id", "thread_id" etc.

Now these sides are called from various hosts, and as "code_id", "photo_album_id" and other parameters, the following urls are submitted (just some of many):

http://www.ce-cioceoforum.com/talk/t1/roda/ilubov/
http://honamfishing.co.kr/phpmysqladmin/libraries/oduzov/neloze/
http://sans-packing.ru/img/jipeqap/ehudute/

[much more urls here...]
The calls are also coming from different hosts, some of them:
v639.vanager.de
roquefort.hpe.it
server01.cre8ive.org

Now my question is:
a) What is the intention of these scripts when they access my side with those urls?
b) Should i be courious about that actions in terms of security?

Any help is appreciated, thanks in advance.

Greets

Hotkey

mykg4orce

well these certainly look like attempts at compromising your php code using $_GET.

These links actually point to ligitamte sites that have been hacked, and the hackers are running various scripts on the server to comprmise it.

You should continue to monitor your data integrity and make sure that all your $_GET variables have proper validation on them and never ever NEVER do this:

$sql_query = "SELECT * FROM mytable where id='$_GET['core_id']'"

Hotkey

Thanks for the info, which is the best way to check these values?

mykg4orce

That all depends on what the $_GET vars are being used for.

If you are simply using them to identify a user id for example or an id in a database, then make sure that the coming input is only numerical.

Basically assume the worst when handling any kind of input, and work your way backwards as to how to prevent it in the first place from occurring. So if you have to pass your GET var to the DB, then make sure that the var only contains what you expect it to contain before passing it to the QUERY.

Hotkey

ok, im using the function is_numeric, but not in all my files. I guess theres much work to do.
Thanks again...

mykg4orce

Indeed, a hacker will look for any opportunity to compromise your site 🙂

Hotkey

sure, but in this case i had expected a try of sql injection, not "stupid" urls...
I really wonder what the sense of this is

mykg4orce

the sense was to explore any opportunity to exploit, they probably scanned all the sites on your server, assuming you are using a shared host. But only you were keen enough to check it out.