Hi,
I got an email sent to me from my upload script (using the mail() function whenever an upload is detected) that someone uploaded "e.jpg.php" on a page that only supports uploading of jpg files.
The upload page (mysite:// upload/index.php, now removed) had a stat counter that tells me the hacker came from:
http://www.google.com.tr/search?hl=tr&rlz=1T4GGLL_trTR363TR363&q=inurl:/upload %22choose a file&start=230&sa=N
keyword: inurl:/upload "choose a file
IP: 88.252.100.182
location: Antalya, Turkey
running a virtual machine, Win XP with IE 6.0.
Opening e.jpg.php suggests that the page is "r57 shell". It was immediately deleted.
I think it's just some script kiddie fooling around, but I'm not sure how many of you are affected by this, and how much information "r57" can mine. Please check your systems!
(For the record, my antivirus removed the file immediately, so I couldn't read the source.)
I got an email sent to me from my upload script (using the mail() function whenever an upload is detected) that someone uploaded "e.jpg.php" on a page that only supports uploading of jpg files.
The upload page (mysite:// upload/index.php, now removed) had a stat counter that tells me the hacker came from:
http://www.google.com.tr/search?hl=tr&rlz=1T4GGLL_trTR363TR363&q=inurl:/upload %22choose a file&start=230&sa=N
keyword: inurl:/upload "choose a file
IP: 88.252.100.182
location: Antalya, Turkey
running a virtual machine, Win XP with IE 6.0.
Opening e.jpg.php suggests that the page is "r57 shell". It was immediately deleted.
I think it's just some script kiddie fooling around, but I'm not sure how many of you are affected by this, and how much information "r57" can mine. Please check your systems!
(For the record, my antivirus removed the file immediately, so I couldn't read the source.)
