Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

strange files in /images/exec(@x)--.jpg

snights

By snights
in Security

Recommended Posts

snights

snights

Posted
Posted

Godday,

 

I was about to make a backup yesterday and i got an error when i came to the image folder. After a quick look i found files with "no size" or "created on"

with names like,

)--.jpg

p

g

pg

.jpg

c(@x)--x130.jpg

 

e.t.c.

also products images with names like

minicell.jpg.thumb_80x1 declare @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--.jpg

 

I cant find any strange files in root or anywhere else. Also Ive checked almost every .php file and didnt find any strange code inside of them.

Ive tried google and search forum without any luck what this is.

 

I cant delete these files from FTP program.

I've also checked my db without finding what i consider strange. Only in image folder.

 

What is this? What security hole are they using? Becuse im pretty sure ive done everything that is posted on "How to secure your site"

 

Any ideeas?

Debs

Debs

Posted
Posted

Godday,

 

I was about to make a backup yesterday and i got an error when i came to the image folder. After a quick look i found files with "no size" or "created on"

with names like,

)--.jpg

p

g

pg

.jpg

c(@x)--x130.jpg

 

e.t.c.

also products images with names like

minicell.jpg.thumb_80x1 declare @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--.jpg

 

I cant find any strange files in root or anywhere else. Also Ive checked almost every .php file and didnt find any strange code inside of them.

Ive tried google and search forum without any luck what this is.

 

I cant delete these files from FTP program.

I've also checked my db without finding what i consider strange. Only in image folder.

 

What is this? What security hole are they using? Becuse im pretty sure ive done everything that is posted on "How to secure your site"

 

Any ideeas?

 

 

Do you have a .htaccess file in your image folder containing these rules?

 

# This is used to restrict access to this folder to anything other

# than images

 

# Prevents any script files from being accessed from the images folder

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">

Order Deny,Allow

Deny from all

</FilesMatch>

 

If not, you may want to try adding the above code.

Also double check your image names for spaces. Like: my-image.jpg, or better yet: my_image_name.jpg. Never use: my image.jpg

  • 1 month later...
mgmarcum

mgmarcum

Posted
Posted

I noticed this in my logs and image dir too. Here's what I think is going on:

 

I hex converted the string 0x77616974666f722064656c61792027303a303a323027 and it deocdes too:

?waitfor delay '0:0:20'

 

Googled it and it looks like ms sql commands. This is possibly an sql injection attempt. I believe they're trying to us the thumbnail generator (product_thumb.php) to get the code in, but we're using mysql so we're safe. The thumbnail generator doesn't touch the database anyways in our version 1.6. I went to look at the latest code up on oscommerce website (http://www.oscommerce.com/community/contributions,2226) and it DOES touch the database, so I'm not going to mess with it. I need to either rewrite product_thumb.php or replace it with something else, maybe v1.7 or 1.9, if they fixed the filename bug.

 

Matt Marcum

dfwtek.com

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...