Home > Archive > PHP Programming > January 2005 > odd GET s
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| TekWiz 2005-01-26, 3:56 pm |
| I was combing through my apache logs, just checking up on things and I
found something very odd that I've never seen before. These wierd
accesses:
index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF43
I'm not sure what this is.
This is what they do:
The first one simply displays the Zend Optimizer logo, and the second
one goes to my home page.
The first one only occurs about 10 times, on the same page, from 2
different IPs. The second occurs probably 50 times, on the same page,
from 4 different IPs.
Does anyone know what this is? If so, can it be useful to me, or is it
simply a security hole.
--TekWiz
| |
| Randell D. 2005-01-27, 8:55 am |
| TekWiz wrote:
> I was combing through my apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
>
> This is what they do:
>
> The first one simply displays the Zend Optimizer logo, and the second
> one goes to my home page.
>
> The first one only occurs about 10 times, on the same page, from 2
> different IPs. The second occurs probably 50 times, on the same page,
> from 4 different IPs.
>
>
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.
>
>
> --TekWiz
>
What does index.php do? Does it expect arguements in $_GET or $_POST
??? It might well be a hacking process crawling the web for php
suffixed files and then sending some duff information to see if PHP
would throw out an error (if it did, then I guess it might give the
hacker something to work on).
I can't see how youget the Zend Optimizer logo from the first link, and
your home page on the second link. I think first time around, its
reading it from your PCs cache - I'm not sure - I'm guessing...
Hope that helps some,
randelld
| |
|
| The first request is a PHP "Easter Egg". In order to not show the logo, you
need to set expose_php to off in php.ini. Someone may be trying to
determine if your server is running PHP (for benign or malevolent reasons).
The second request, as far as I know, is meaningless.
- Kevin
"TekWiz" <tekwiz@twarlick.net> wrote in message
news:1106766542.397334.11410@z14g2000cwz.googlegroups.com...
>I was combing through my apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
>
> This is what they do:
>
> The first one simply displays the Zend Optimizer logo, and the second
> one goes to my home page.
>
> The first one only occurs about 10 times, on the same page, from 2
> different IPs. The second occurs probably 50 times, on the same page,
> from 4 different IPs.
>
>
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.
>
>
> --TekWiz
>
| |
| Peter Sahlstrom 2005-01-27, 8:56 pm |
| "TekWiz" <tekwiz@twarlick.net> writes:
> I was combing through my apache logs, just checking up on things and I
> found something very odd that I've never seen before. These wierd
> accesses:
>
> index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF43
>
>
> I'm not sure what this is.
> --snip--
> Does anyone know what this is? If so, can it be useful to me, or is it
> simply a security hole.
I don't know the technical term for these type of strings, but they're
completely harmless PHP control codes. They actually work on any
webserver with expose_php enabled (see, for example,
http://www.php.net/?=PHPE9568F36-D4...69-00AA001ACF42 ) If they
make you nervous, though, you can set the expose_php in your php.ini
file to Off.
There are actually four codes that I know about (you can see their
definitions in the php source within /ext/standard/info.h)
?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
Displays the PHP logo. (This provides a way for the phpinfo function
to display a PHP logo).
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
Displays the Zend logo. (Also used by phpinfo).
?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
Displays an "easter egg" image of a rabbit in PHP 5.0, a dog in PHP
4.3.0, or some dude in 4.2.3
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Displays the PHP development credits. (This page is linked to from phpinfo).
I hope this helps.
--
Peter Sahlstrom
news@sahlstrom.us
http://peter.stormlash.net
|
|
|
|
|