Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

help! /images folder hacked everyday


shadow007

Recommended Posts

Hi All,

 

Everday, Three malicious files will be created in my /images folder on my site.

they are:

# (decoded file) ClamAV detected virus = [php.Shell-22]:

'/home/condoms/public_html/images/application_bottom_top.php.jpg'

# Suspicious image file (hidden script file):

'/home/condoms/public_html/images/file_manager.php.jpg'

# Suspicious image file (hidden script file):

'/home/condoms/public_html/images/usr.php.jpg'

# Known exploit = [Fingerprint Match]:

'/home/condoms/public_html/images/usr.php.jpg'

 

I have changed all ftp and cpanel passwords, and installed all recommended security addons here.

But the three files still be created automatically everyday.

So I have to create a .htaccess file with contents below in /images folder to deny their codes:

<FilesMatch “.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$”>

Order Deny,Allow

Deny from all

</FilesMatch>

 

I can't find the related hole and malicious scripts which creates the three files.

any suggestion will be appreciated.

 

---

Stephen

Everyone is changing the world.

Everyone is a world.

For everyone needs my help, PM or email if I amn't online.

Link to comment
Share on other sites

.....file with contents below in /images folder to deny their codes:

<FilesMatch “.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$”>

Order Deny,Allow

Deny from all

</FilesMatch>

 

I can't find the related hole and malicious scripts which creates the three files.

any suggestion will be appreciated.

 

The problem with that though is that because they are able to parse code as a jpg image file, that htaccess code will not stop jpg files from being uploaded.

 

I have changed all ftp and cpanel passwords, and installed all recommended security addons here.

But the three files still be created automatically everyday.

 

Might I suggest then that you also try osc_sec.php which the link is in my signature. In osc_sec is the security patch that is in oscommerce 2.3.1 which will at the very least prevent the admin bypass exploit which is often the method attackers use to upload code into the images directory (assuming you have not already installed it).

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thanks very much.

 

I will have a look at this security addon and try it on my site.

Everyone is changing the world.

Everyone is a world.

For everyone needs my help, PM or email if I amn't online.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...