odd GET s

Re: odd GET s

TekWiz wrote:
[color=blue]
> I was combing through my Apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE 9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE 9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
>
> This is what they do:
>
> The first one simply displays the Zend Optimizer logo, and the second
> one goes to my home page.
>
> The first one only occurs about 10 times, on the same page, from 2
> different IPs. The second occurs probably 50 times, on the same page,
> from 4 different IPs.
>
>
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.
>
>
> --TekWiz
>[/color]

What does index.php do? Does it expect arguements in $_GET or $_POST
??? It might well be a hacking process crawling the web for php
suffixed files and then sending some duff information to see if PHP
would throw out an error (if it did, then I guess it might give the
hacker something to work on).

I can't see how youget the Zend Optimizer logo from the first link, and
your home page on the second link. I think first time around, its
reading it from your PCs cache - I'm not sure - I'm guessing...

Hope that helps some,
randelld

Re: odd GET s

The first request is a PHP "Easter Egg". In order to not show the logo, you
need to set expose_php to off in php.ini. Someone may be trying to
determine if your server is running PHP (for benign or malevolent reasons).
The second request, as far as I know, is meaningless.

- Kevin


"TekWiz" <tekwiz@twarlic k.net> wrote in message
news:1106766542 .397334.11410@z 14g2000cwz.goog legroups.com...[color=blue]
>I was combing through my Apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE 9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE 9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
>
> This is what they do:
>
> The first one simply displays the Zend Optimizer logo, and the second
> one goes to my home page.
>
> The first one only occurs about 10 times, on the same page, from 2
> different IPs. The second occurs probably 50 times, on the same page,
> from 4 different IPs.
>
>
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.
>
>
> --TekWiz
>[/color]

Re: odd GET s

"TekWiz" <tekwiz@twarlic k.net> writes:
[color=blue]
> I was combing through my Apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE 9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE 9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
> --snip--
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.[/color]

I don't know the technical term for these type of strings, but they're
completely harmless PHP control codes. They actually work on any
webserver with expose_php enabled (see, for example,
http://www.php.net/?=PHPE9568F36-D42...9-00AA001ACF42 ) If they
make you nervous, though, you can set the expose_php in your php.ini
file to Off.

There are actually four codes that I know about (you can see their
definitions in the php source within /ext/standard/info.h)

?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
Displays the PHP logo. (This provides a way for the phpinfo function
to display a PHP logo).

?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
Displays the Zend logo. (Also used by phpinfo).

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
Displays an "easter egg" image of a rabbit in PHP 5.0, a dog in PHP
4.3.0, or some dude in 4.2.3

?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Displays the PHP development credits. (This page is linked to from phpinfo).

I hope this helps.

--
Peter Sahlstrom
news@sahlstrom. us