Server Hack? found in Whos_Online.php

[DogFoodIT]

Hi all i just noticed this in the Who's Online page in admin, looks to be a server hack of some sort?

 

https://mysite.com.au/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

 

transformed to:

https://mysite.com.au/phppath/php?
-d+allow_url_include=on
							 +-d+safe_mode=off
							 +-d+suhosin.simulation=on
							 +-d+disable_functions=""
							 +-d+open_basedir=none
							 +-d+auto_prepend_file=php://input+-n

 

 

can anyone shead some light on the matter? is it trying to apend injections to the forms?

 

Thanks in advance

[Guest]

@@DogFoodIT

 

It's a script attempt to find a vulnerability. If your site is configured correctly, it would fail.

 

 

 

 

Chris

[DogFoodIT]

@@DunWeb

 

Thanks for that, would you know what it is trying to do? is it trying to use the input function to include remote files or add new files to the server? I can see it is trying to configure settings to gain access. Would this be classed as some sort of XSS?

[ozEworks]

There is commands you can add to your .htaccess file to stop cross site scripting attempts. Have a look on the forum I am sure they are listed here.