I have been pretty surprised seeing the rising number of hacking attempts against this website. A larger number of these attempts have targeted a well-known vulnerability in FlashChat, a popular chat room for PHP/MySql installations.

It began initially with a lot of “404 Page Not Found” errors in my site log. Initially, I ignored them, but when I saw many of these errors for a common script, named aedating4CMS.php, and knowing that my site never had such a script, I decided to research this further.

And this is what I landed at. Now, I knew that these hackers were trying to exploit “a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to aedatingCMS.php not properly sanitizing user input supplied to the ‘dir[inc]’ variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script

And pursuing this further, I found that these hackers were trying to include scripts into the current page, which had PHP code like the following:

<?php /* Fx29ID */ echo("some"."thing"); die("some"."thing"); /* Fx29ID */ ?>

No doubt, I was alarmed at the seriousness of the issue. If they would have been able to get this script executed though my site’s page, it would have opened doors to get almost any arbitrary PHP code executed from my domain.

Although I am not using FlashChat on this site, I can imagine the plight of the webmasters who were using the FlashChat version affected by this vulnerability (FlashChat 4.6.1).