Comments on: Dumbest Break-in Attempts http://todd.wallentine.com/blog/?p=174 Toads Wild Ride Thu, 04 Dec 2008 20:27:51 -0800 hourly 1 http://wordpress.org/?v=3.0 By: Todd http://todd.wallentine.com/blog/?p=174&cpage=1#comment-245 Todd Mon, 19 Nov 2007 17:56:22 +0000 http://todd.wallentine.com/blog/?p=174#comment-245 Dotan I don't have specifics about the holes we patched (it was done a while ago and I didn't keep notes) but the basic idea was to validate any incoming variables in PHP. Using the example log above, our scripts now check to make sure thread_id is a number. This can be done using the following: if(!is_numeric($thread_id)) { exit_error("Invalid thread id", "The thread id you sent was invalid. Please try again with a valid thread id."); } Another thing to do would be to make sure you don't use the PHP inclusion mechanism for any variables taken in from the user. For example, don't do something like this: require($thread_id); Otherwise, good luck. These script-kiddies are really annoying. Dotan

I don’t have specifics about the holes we patched (it was done a while ago and I didn’t keep notes) but the basic idea was to validate any incoming variables in PHP. Using the example log above, our scripts now check to make sure thread_id is a number. This can be done using the following:

if(!is_numeric($thread_id)) {
exit_error(“Invalid thread id”, “The thread id you sent was invalid. Please try again with a valid thread id.”);
}

Another thing to do would be to make sure you don’t use the PHP inclusion mechanism for any variables taken in from the user. For example, don’t do something like this:

require($thread_id);

Otherwise, good luck. These script-kiddies are really annoying.

]]> By: Nothing to see here » PHP include attacks rolling on… http://todd.wallentine.com/blog/?p=174&cpage=1#comment-244 Nothing to see here » PHP include attacks rolling on… Mon, 19 Nov 2007 16:20:54 +0000 http://todd.wallentine.com/blog/?p=174#comment-244 [...] I decide to google one of the URL’s that’s included, and right off the bat, I found this article from a web site that’s seeing the same thing.  I believe these attacks are being launched [...] [...] I decide to google one of the URL’s that’s included, and right off the bat, I found this article from a web site that’s seeing the same thing.  I believe these attacks are being launched [...]

]]> By: Dotan Mazor http://todd.wallentine.com/blog/?p=174&cpage=1#comment-243 Dotan Mazor Sun, 18 Nov 2007 05:35:56 +0000 http://todd.wallentine.com/blog/?p=174#comment-243 SAnToS, Who knows? maybe they tried to "huff and puff until they blow your house in" :-) It appears that you do have readers. And from Israel, nonetheless. We have had the same attempts, but not by "dumb" script kiddies. They actually know several access points on our domain, which means that they have managed to squeeze some information out of the server. Could you post a reference of the hole that you fixed? Knowing our sys admins, it is already fixed, but I wouldn't want to crash down because of such an assumption. And thank you for your sarcastic article. As they say: some kiddies never die - they just smell that way... Dotan SAnToS,

Who knows? maybe they tried to “huff and puff until they blow your house in” :-)

It appears that you do have readers. And from Israel, nonetheless.

We have had the same attempts, but not by “dumb” script kiddies. They actually know several access points on our domain, which means that they have managed to squeeze some information out of the server.

Could you post a reference of the hole that you fixed? Knowing our sys admins, it is already fixed, but I wouldn’t want to crash down because of such an assumption.

And thank you for your sarcastic article. As they say: some kiddies never die – they just smell that way…

Dotan

]]>