plogworld at jon.limedaley.com
Tue Feb 21 22:03:17 EST 2012
Hi all. I noticed today that one of my lifetype installations was
hacked. I narrowed it down to a four minute window (the hacker was nice
error.log started spewing errors immediately.
Unfortunately, apache didn't log enough data to let me know what
happened, but even suhosin wasn't enough to protect me from this hack.
There are two requests that appear to be the problems:
184.108.40.206 - - [15/Feb/2012:14:37:21 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 763 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60"
220.127.116.11 - - [15/Feb/2012:14:37:28 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 1133 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60"
I originally didn't even see them since they look pretty innocuous.
But, as best as I can tell, some data was included in the headers of the
GET request that enabled LifeType to write to a template file. Seems
pretty crazy to me, but I don't see any other signs of entry.
The user that the blog runs on ran nothing but php the entire week
proceeding when I discovered it, so that means that anything he did should
be in the apache log files. I see nothing interesting in the logs.
It seems that there must be something added in the Content-Accept or other
header that LifeType isn't being careful about.
I am running PHP 5.2.6, and have been meaning to upgrade, but have been
worried that I might have old PHP that might not work on 5.3, so haven't
gotten around to upgrading yet.
Joy is the infallible sign of the presence of God.
-- Leon Bloy
More information about the pLog-svn