That is not a cross site scripting vulnerability. Cross site scripting vulnerability is when people can do things with users that are logged in to your website, for instance a simplified example:
I log into my bank
I browse to bad website 1
bad website 1 knows that my bank uses just one form to submit transfer requests for money
They use javascript to send the valid data to my bank it looks like the request came from me
The money is transferred.
What you have here is a standard PHP inclusion vulnerability. That code you have attached would be included in random pages that are vulnerable to that. For example, if you have the following code:
to include different pages based on the variables in the URL, that would allow the attacker to instead include /tmp/badfile.php and have it executed within that script. Also they could include arbitrary files that are located on the system, for example /etc/passwd, and stuff like that.
Now, to drop files on a server requires that there is an exploit available for any of the services running, or any of the PHP scripts that are there. So somewhere there is an PHP script that allows remote file inclusion/remote uploads at which point they have full control over what can and can't be done. Generally the culprit is outdated phpBB versions, along with various bits and pieces of other PHP scripts. The servers I have had this happen on all happened to be running phpBB, and that was found to be the culprit.
Ways to protect against it?
phpSuHoSin. It is protection software and makes sure that no external variables are set, it also drops requests that don't make sense or variable names that are too long. It is just another piece of software to stop bad stuff happening.
http://www.hardened-php.net/suhosin/. Runs on all of my servers. See the feature list as to what it all adds:
http://www.hardened-php.net/suhosin/a_feature_list.html
Code:
Dec 3 11:34:31 defiant suhosin[63413]: ALERT - tried to register forbidden variable 'GLOBALS[WE_MAIN_DOC]' through GET variables (attacker '64.251.7.205', file '/usr/home/personal/public_html//index.php')
Dec 3 11:34:31 defiant suhosin[14766]: ALERT - tried to register forbidden variable 'GLOBALS[WE_MAIN_DOC]' through GET variables (attacker '64.251.7.205', file '/usr/home/personal/public_html/index.php')
Dec 3 11:34:32 defiant suhosin[63412]: ALERT - tried to register forbidden variable 'GLOBALS[WE_MAIN_DOC]' through GET variables (attacker '64.251.7.205', file '/usr/home/personal/public_html//index.php')
Dec 3 11:35:10 defiant suhosin[63413]: ALERT - tried to register forbidden variable 'GLOBALS[WE_MAIN_DOC]' through GET variables (attacker '64.251.7.205', file '/usr/home/personal/public_html//index.php')
Dec 3 11:35:10 defiant suhosin[14766]: ALERT - tried to register forbidden variable 'GLOBALS[WE_MAIN_DOC]' through GET variables (attacker '64.251.7.205', file '/usr/home/personal/public_html/index.php')
Dec 3 15:21:44 defiant suhosin[77220]: ALERT - configured request variable name length limit exceeded - dropped variable 'ouml;ffnen//modules/xoopsgallery/upgrade_album_php?GALLERY_BASEDIR' (attacker '216.117.175.247', file '/usr/home/main/public_html/forum/archive/index.php')
Dec 3 15:26:59 defiant suhosin[76955]: ALERT - configured request variable name length limit exceeded - dropped variable 'ouml;ffnen//modules/xoopsgallery/upgrade_album_php?GALLERY_BASEDIR' (attacker '208.109.248.68', file '/usr/home/main/public_html/forum/archive/index.php')
Dec 3 15:35:02 defiant suhosin[76959]: ALERT - configured request variable name length limit exceeded - dropped variable 't-713_html//modules/xoopsgallery/upgrade_album_php?GALLERY_BASEDIR' (attacker '202.64.130.106', file '/usr/home/main/public_html/forum/archive/index.php')
Dec 3 15:37:08 defiant suhosin[76953]: ALERT - configured request variable name length limit exceeded - dropped variable 't-713_html//modules/xoopsgallery/upgrade_album_php?GALLERY_BASEDIR' (attacker '202.64.130.106', file '/usr/home/main/public_html/forum/archive/index.php')
Dec 1 00:38:58 defiant suhosin[11723]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '218.239.45.154', file '/usr/home/spammers/public_html/forums/index.php')
Dec 1 00:38:58 defiant suhosin[11723]: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '218.239.45.154', file '/usr/home/spammers/public_html/forums/index.php')
Dec 1 00:38:58 defiant suhosin[11723]: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '218.239.45.154', file '/usr/home/spammers/public_html/forums/index.php')
Dec 1 00:38:58 defiant suhosin[11723]: ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker '218.239.45.154', file '/usr/home/spammers/public_html/forums/index.php')
The other thing you can do is turn off remote includes. By default this is valid PHP code:
Code:
include(http://example.net/remoteurl.php);
There is a php.ini setting that you can use to turn that off.
Turn off globals. Anything that is set in a $_GET or $_POST should not instantly become a global (and turning this off will also give you a whole list of PHP scripts that are insecurely programmed).
Other things to consider:
Attackers for some reason assume that all of the hosts they are attacking are going to have the following things installed and ready for use:
1. Perl (which you already got)
2. wget (This is never installed on any of my FreeBSD machines, about 90% of all attacks I have seen would have not worked if wget had not been installed)
3. GCC to compile code (they use wget to drop this code on the machine ...)
4. the Apache web server and its user (mine is www) having a valid PATH and other environment variables.
(Dropping /bin, /sbin, /usr/bin, and /usr/sbin from PATH means only /usr/local/bin is left for Apache to execute from. Which is all it requires anyway (ImageMagick). So scripts that assume PATH is valid now don't work!)
I hope this helps, I have not had a server compromised within the last 2 years. The one before that was because of a known php script vulnerability. At the time however they were only able to drop files on the server, but were unable to use them. I still have their code