php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22728 php.exe attempts to contact the web
Submitted: 2003-03-15 07:55 UTC Modified: 2003-03-15 09:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ChristianMoore at attbi dot com Assigned:
Status: Not a bug Package: CGI/CLI related
PHP Version: 4.3.0 OS: Windows .NET Server 2003 AdvSrv
Private report: No CVE-ID: None
 [2003-03-15 07:55 UTC] ChristianMoore at attbi dot com
I use PHP on my site at www.psychosematic.com.  For some reason, php.exe is trying to access the web, and it has nothing to do with my site.

My firewall logged these actions, performed by php.exe:

File Version :		
File Description :	C:\php\php.exe
File Path :		C:\php\php.exe
Process ID :		283C (Heximal) 10300 (Decimal)

Connection origin :	local initiated
Protocol :		TCP
Local Address : 	192.168.1.100
Local Port :		3216 
Remote Name :		www.ironmaiden.com
Remote Address :	213.86.54.15
Remote Port : 		80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 62)
	Destination: 	00-04-5a-e9-5a-17
	Source: 	00-03-6d-11-12-fc
Type: IP (0x0800)
Internet Protocol
	Version: 4
	Header Length: 20 bytes
	Flags:
		.1.. = Don't fragment: Set
		..0. = More fragments: Not set
	Fragment offset:0
	Time to live: 64
	Protocol: 0x6 (TCP - Transmission Control Protocol)
	Header checksum: 0x1d7b (Correct)
	Source: 192.168.1.100
	Destination: 213.86.54.15
Transmission Control Protocol (TCP)
	Source port: 3216
	Destination port: 80
	Sequence number: 3479013436
	Acknowledgment number: 0
	Header length: 28
	Flags: 
		0... .... = Congestion Window Reduce (CWR): Not set
		.0.. .... = ECN-Echo: Not set
		..0. .... = Urgent: Not set
		...0 .... = Acknowledgment: Not set
		.... 0... = Push: Not set
		.... .0.. = Reset: Not set
		.... ..1. = Syn: Set
		.... ...0 = Fin: Not set
	Checksum: 0x3311 (Correct)
	Data (0 Bytes)

Binary dump of the packet:
0000:  00 04 5A E9 5A 17 00 03 : 6D 11 12 FC 08 00 45 00 | ..Z.Z...m.....E.
0010:  00 30 F2 38 40 00 40 06 : 7B 1D C0 A8 01 64 D5 56 | .0.8@.@.{....d.V
0020:  36 0F 0C 90 00 50 CF 5D : 88 3C 00 00 00 00 70 02 | 6....P.].<....p.
0030:  40 00 11 33 00 00 02 04 : 05 B4 01 01 04 02       | @..3..........  


File Version :		
File Description :	C:\php\php.exe
File Path :		C:\php\php.exe
Process ID :		2B40 (Heximal) 11072 (Decimal)

Connection origin :	local initiated
Protocol :		TCP
Local Address : 	192.168.1.100
Local Port :		3256 
Remote Name :		www.aimoo.com
Remote Address :	216.38.143.13
Remote Port : 		80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 62)
	Destination: 	00-04-5a-e9-5a-17
	Source: 	00-03-6d-11-12-fc
Type: IP (0x0800)
Internet Protocol
	Version: 4
	Header Length: 20 bytes
	Flags:
		.1.. = Don't fragment: Set
		..0. = More fragments: Not set
	Fragment offset:0
	Time to live: 64
	Protocol: 0x6 (TCP - Transmission Control Protocol)
	Header checksum: 0x8014 (Correct)
	Source: 192.168.1.100
	Destination: 216.38.143.13
Transmission Control Protocol (TCP)
	Source port: 3256
	Destination port: 80
	Sequence number: 74775255
	Acknowledgment number: 0
	Header length: 28
	Flags: 
		0... .... = Congestion Window Reduce (CWR): Not set
		.0.. .... = ECN-Echo: Not set
		..0. .... = Urgent: Not set
		...0 .... = Acknowledgment: Not set
		.... 0... = Push: Not set
		.... .0.. = Reset: Not set
		.... ..1. = Syn: Set
		.... ...0 = Fin: Not set
	Checksum: 0x8b0d (Correct)
	Data (0 Bytes)

Binary dump of the packet:
0000:  00 04 5A E9 5A 17 00 03 : 6D 11 12 FC 08 00 45 00 | ..Z.Z...m.....E.
0010:  00 30 FD 07 40 00 40 06 : 14 80 C0 A8 01 64 D8 26 | .0..@.@......d.&
0020:  8F 0D 0C B8 00 50 04 74 : FA D7 00 00 00 00 70 02 | .....P.t......p.
0030:  40 00 0D 8B 00 00 02 04 : 05 B4 01 01 04 02       | @.............  

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-15 09:24 UTC] wez@php.net
Either your scripts are deliberately accessing the network using something like fopen("http://...."), or your scripts are insecure and are allowing hackers to do that.

This is not a bug in PHP; please check your scripts, and re-read the security section of the PHP manual.
 [2003-03-15 09:40 UTC] ChristianMoore at attbi dot com
My scripts do not make any attempts to access these domains.  So that's not the problem
 [2003-03-15 09:43 UTC] sniper@php.net
So someone is using your php.exe. Check this manual page:

http://www.php.net/manual/en/security.php
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC