Home / server / Questions / 424798
Accepted
garconcn
Asked: 2012-09-06 21:01:11 +0800 CST

Someone try to hack my site, want to understand the log

  • 772

I have a wordpress site hosted on CentOS 6. After see the following access log, I checked the server, it seems ok. Can anyone explain what does this guy trying to do? Did they get what they want?

I have disabled allow_url_include, and restricted open_basedir to web dir and tmp(/etc is not in the path).

190.26.208.130 - - [05/Sep/2012:21:24:42 -0700] "POST http://my_ip/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP/1.1" 200 32656 "-" "Mozilla/5.0"

hacking

1 Answers

  1. Best Answer

    Take a look at CVE-2012-1823 first.

    The above URL is decoded as:

    http://my_ip/?-d allow_url_include=On+-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n/?-d allow_url_include=On+-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n

    ?-d allow_url_include=On: he is trying to add an extra parameter in the php-cgi call:

    $ php-cgi -h
Usage: php [-q] [-h] [-s] [-v] [-i] [-f <file>]
       php <file> [args...]
  -d foo[=bar]     Define INI entry foo with value 'bar'

    +-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n: then prepend his file as code to execute. Don't know why he uses Path Traversal attack here instead of using his code or php://input.

    -n at the end to negate the php.ini:

    $ php-cgi -h
Usage: php [-q] [-h] [-s] [-v] [-i] [-f <file>]
       php <file> [args...]
  -n               No php.ini file will be used

    PS: No need to worry if you aren't running PHP as a CGI script.

    • 4