At 2007-07-28 22:21, you wrote:
>Hi all.
>
>I was doing some digging in my log files to troubleshoot a problem,
>and I came across a bunch of weird URL's, where it appears that
>someone is trying to inject some code from other places. Thankfully,
>many of the pages they were trying to inject via did not exist on my server.
>
>Anyway, the commands below will look at your log files. I would be
>interested if anyone else is getting hits on some of these....
I see these quite often. Some of them are actually search bots (I
have MSN and Google listed in the log I just dumped using your latter
grep command), some are actually intentional (but validated in the
script before any action is taken) and some are obvious injection
attacks possibly looking for known exploits in popular scripts.
>and more importantly, what are the recommendations from some of the
>PHP guru's out there.
The simple answer is: never accept any type of user input without
server-side validation. Specifically, $_GET or $_POST variables
should *always* be checked and stripped down to make sure they
contain *only* the data you expect.
>1. Look at old log files (more data to look at
>gzip -dc /var/log/httpd/access_log*gz | grep "=http.* HTTP" | less
>or
>2. Just look at current apache log file.
>grep "=http.* HTTP" /var/log/httpd/access_log
>
>Regards,
>Greg.
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
Brent Epp
mailto:brent (at mark) pdcweb.net