From: "scot" on
Hi there,
Not sure if this is proper place to post but here it goes. We got nailed by
someone using c99shell today. They were able to upload and overwrite a bunch
of index files. I am working on discovering how they were able to get it on
our server. Here's some basic info. I am by no means a php expert. Should
things be different? Is there a good paper out there somewhere in regards to
windows / iis5 / php security?

php 4.4.1
Safe Mode: OFF
Open basedir: none
Display Errors: ON
Short Open Tags: ON
File Uploads: ON
Magic Quotes: ON
Register Globals: ON
Output Buffering: OFF
Session save path: e:\PHP\sessiondata
Session auto start: 0
XML enabled: Yes
Zlib enabled: Yes
Disabled Functions: none

Here is also a snip of log (altered IP's and URL) of what I think is the
hack of the site. (I could be wrong)

2006-04-29 23:47:46 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 958 105 172
HTTP/1.0 www.blah.com Wget/1.9.1 - -
2006-04-29 23:49:32 x.x.x.x - x.x.x.x 80 GET /index.html - 200 0 953 122 297
HTTP/1.1 www.blah.com libwww-perl/5.805 - -

Thanks,
Scot