1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Tracing source of uploaded files?

Discussion in 'Security' started by Jargonaut, Feb 27, 2011.

  1. #1
    I have an issue with my linux centos 5 web server. There is some kind of vulnerability somewhere that is allowing the upload of php files as .jpg. This has been a recurring problem and I have to get to the bottom of it before my host loses patience.

    Is there any way to trace the source of files that get uploaded to the tmp folder? Maybe some logging I can enable that I can search that might highlight a script on one of the sites on the server that is being exploited?

    Any help at all on this would be greatly apreciated.
     
    Jargonaut, Feb 27, 2011 IP
  2. mikeasro

    mikeasro Peon

    Messages:
    145
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #2
    "Uploading php files as jpeg"? So they are uploading a php file just with the extension changed, or hiding encoded text in it and then decoding it to a .php file?

    Is your server up to date? do: yum clean all;yum update as root.
    You also need to check you have the correct permissions set on the tmp file
     
    mikeasro, Feb 28, 2011 IP
  3. abinteractive

    abinteractive Peon

    Messages:
    9
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Check the date modified time for the uploaded file. Check your apache logs for an entry at this time - should show what url is being used as the insecure entry point
     
    abinteractive, Mar 1, 2011 IP
  4. testu

    testu Well-Known Member

    Messages:
    231
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    130
    #4
    You can go inside the logs folder and type grep filename.jpg (the uploaded .jpg file name) *. Example
    grep blabla.jpg *
    Code (markup):
    .
    This way you can most likely see the IP that uploaded this file and using which script.
     
    testu, Mar 3, 2011 IP
  5. Jargonaut

    Jargonaut Peon

    Messages:
    166
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Thanks for the replies, very much apreciated.

    There have been various files including .jpg and .txt. The contents are purely php. Permissions were set to 1777. I just ran /scripts/securetmp and it said tmp was already secure. The yum update I haven't done yet.

    The date modified time on the file is older that it's possible for the file to be, I know the file wasn't there yesterday but the date is 15th feb.

    Checked all log files, no reference at all to tmp.jpg.

    I enabled logging on modsec2 in case the file was uploaded through some post form and enabled the access to form contents but there is no reference to any of the file names there.

    Any other ideas?
     
    Jargonaut, Mar 4, 2011 IP