Check your .htaccess file

检查您的 .htaccess 文件

Using AddTypein your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .htmlextensions can be used while still using PHP within themselves. So, yes, it's possible:

使用AddType您的.htaccess文件，你可以添加从PHP可以跑出许多其他的扩展。这通常是.html扩展可以在其内部仍然使用 PHP 的同时使用的方式。所以，是的，这是可能的：

AddType application/x-httpd-php .jpg

You can test this if you like.

如果你愿意，你可以测试这个。

1. Create a directory with two files: .htaccess and test.php.jpg
2. Set content of .htaccess to AddType application-x-httpd-php .jpg
3. Set content of test.php.jpg to <?php echo 'foo'; ?>
4. Access test.php.jpg through localhost

1. 创建一个包含两个文件的目录：.htaccess 和 test.php.jpg
2. 将 .htaccess 的内容设置为 AddType application-x-httpd-php .jpg
3. 将 test.php.jpg 的内容设置为 <?php echo 'foo'; ?>
4. 通过localhost访问test.php.jpg

If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmpfiles around if you like.

如果一切按计划进行，“foo”将输出到您的屏幕。/tmp如果您愿意，您可以扩展它以移动文件。

Definitely something you want to be very careful with.

绝对是你想要非常小心的东西。

Check exposed calls to include/require

检查公开的调用以包含/要求

Another way this could have been done is through a call to require()or include()(or any of the _once()methods) where by the hacker was able to load in his badfile.php.jpgfile that had been uploaded under the guise of an innocent image:

另一种方法是通过调用require()或include()（或任何_once()方法），黑客可以在其中加载以badfile.php.jpg无辜图像为幌子上传的文件：

<?php

  include $_GET["file"];

?>

In the above case (simplified example), the hacker could pass in a path to his .php.jpgfile and have its contents loaded in and processed as PHP code.

在上述情况下（简化示例），黑客可以传入他的.php.jpg文件的路径，并将其内容加载并作为 PHP 代码进行处理。

Other (frightening) ideas

其他（可怕的）想法

Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval()as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval()to evaluate that content as PHP, this could also provide a gaping security hole in your website.

Require、Include 及其相关方法并不是处理外部脚本的唯一方法——不幸的是，您也可以使用eval()。不过，我希望你不会发生这种情况。如果您的服务器上确实有任何脚本使用任何一个文件函数来读取另一个脚本的内容，然后eval()将该内容评估为 PHP，这也可能在您的网站中提供一个巨大的安全漏洞。

Your image_upload.phpis insecure, check the following:

您image_upload.php不安全，请检查以下内容：

1. does it allow only image extensions?Otherwise it would be possible to upload directly a PHP file. (I think you're covered on this one, but double check).
2. does it check that the uploaded file is indeed an image?Here the answer is no, it doesn't check the contents. Add this check! With this single step you'd close the initial breach.

1. 它只允许图像扩展吗？否则，可以直接上传 PHP 文件。（我认为您已经了解了这一点，但请仔细检查）。
2. 它是否检查上传的文件确实是图像？答案是否定的，它不检查内容。添加此检查！只需这一步，您就可以关闭最初的违规行为。

To check if it's an image you can run getimagesizeon the file, it will return FALSE if it's not an image.

要检查它是否是图像，您可以对文件运行getimagesize，如果它不是图像，它将返回 FALSE。

How is it possible to execute that file?First, how do you know it has been executed? Did you see side effects?

怎么可能执行那个文件？首先，你怎么知道它已经被执行了？你看到副作用了吗？

1. One way is that they could have tampered other files
2. A second way, perhaps more probable is that they used unsanitized inputsfrom your scripts to either include or eval the code. In this case you can find proof only by looking at the logs.

1. 一种方法是他们可能篡改了其他文件
2. 第二种可能更有可能的是，他们使用来自您的脚本的未经处理的输入来包含或评估代码。在这种情况下，您只能通过查看日志来找到证据。

How to look at the logs?

如何查看日志？

Check the date and time of the uploaded file and start to look around there for suspicious activity (look at strange url parameters). Once you've find one or more IP address, doing evil things, grep the log for that (those) IPs, to see the whole story.

检查上传文件的日期和时间，并开始四处寻找可疑活动（查看奇怪的 url 参数）。一旦你找到一个或多个 IP 地址，做坏事，grep 那个（那些）IP 的日志，看看整个故事。

Another important info to know is, did you write the site or use a CMSor similar and in this case what is it and what version? You've to check published vulnerabilities and upgrade in case.

另一个需要了解的重要信息是，您是否编写了该站点或使用了 CMS或类似工具，在这种情况下，它是什么以及什么版本？您必须检查已发布的漏洞并升级以防万一。

The problem is caused by your server using the default /etc/httpd/conf.d/php.conf:

问题是由您的服务器使用默认的 /etc/httpd/conf.d/php.conf 引起的：

rpm -ql php-5.1.6-39.el5_8
/etc/httpd/conf.d/php.conf
/usr/lib64/httpd/modules/libphp5-zts.so
/usr/lib64/httpd/modules/libphp5.so
/var/lib/php/session
/var/www/icons/php.gif

The content of /etc/httpd/conf.d/php.conf is:

/etc/httpd/conf.d/php.conf 的内容是：

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  # Use of the "ZTS" build with worker is experimental, and no shared
  # modules are supported.
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

Please note the last line AddHandler php5-script .php . This is causing that problem and needs to be replaced with a more secure configuration

请注意最后一行 AddHandler php5-script .php 。这导致了该问题，需要用更安全的配置替换

You can read more about it and how to apply a fix here ( see last reply):

您可以在此处阅读有关它的更多信息以及如何应用修复程序（请参阅最后的回复）：

http://core.trac.wordpress.org/ticket/11122

http://core.trac.wordpress.org/ticket/11122

also see this:

另见：

https://bugzilla.redhat.com/show_bug.cgi?id=885839

https://bugzilla.redhat.com/show_bug.cgi?id=885839