In the aftermath of a hacking attempt, I detected a file called "css.php.file" being uploaded to the vBulletin attachments folder. The attacker used another software to upload this file, so it's not vB's fault.
I am wondering though: even though it's ending is not .php (but .php.file), that file gets executed as PHP when requested over the web. In other locations than the attachments folder, only it's source is shown.
My only AddTypes for Apache are:
Anyone with a suggestion, why a file with ending .file is considered a php file?
Thanks.
I am wondering though: even though it's ending is not .php (but .php.file), that file gets executed as PHP when requested over the web. In other locations than the attachments folder, only it's source is shown.
My only AddTypes for Apache are:
Code:
AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 AddType application/x-httpd-php .php4 AddType application/x-httpd-php-source .phps
Thanks.
Comment