Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PHP-CGI.core? ever hear of this before?


Guest

Recommended Posts

Yesterday my site was hacked. When you tried to load the index, you got an error message saying the compression was wrong. It only affected firefox and IE, the site loaded fine in chrome. While investigating I found the following code at the top of almost every index.php file on the server.

 

"< ?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw...." With a long string of numbers/letters.

 

I cleaned up the whole site, and updated osc_sec, and found the same stuff all over again this morning.

 

While looking through the files in ftp I found a Huge (4megs) file named PHP-CGI.core I know it's not part of the original install files, and I don't recall putting it there while installing add-ons.

 

Has anyone else ever seen this before?

Link to comment
Share on other sites

Yesterday my site was hacked. When you tried to load the index, you got an error message saying the compression was wrong. It only affected firefox and IE, the site loaded fine in chrome. While investigating I found the following code at the top of almost every index.php file on the server.

 

"< ?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw...." With a long string of numbers/letters.

 

I cleaned up the whole site, and updated osc_sec, and found the same stuff all over again this morning.

 

While looking through the files in ftp I found a Huge (4megs) file named PHP-CGI.core I know it's not part of the original install files, and I don't recall putting it there while installing add-ons.

 

Has anyone else ever seen this before?

Core files are sometimes generated when a fatal error occurs and the server doesn't know how to handle it. They are not used by anyone for most shops and should be deleted (mainly due to the size). If they keep appearing, then there is probably something wrong in your code that is failing and needs to be fixed..It could also be due to the server so you might want to ask your host aout them, if it keeps happening. But it could also be a hacker file. Hackers will upload files that appear like normal files in the hopes the shop owner will not touch them.

 

If you would have had SiteMonitor installed, you would know if that file was created when the hacker made his changes, removing a lot of doubt. Not to mention, it would have recorded any other changes. As it is now, there may be hacker code left in the site that is allowing him to re-infect your files.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

The core files are probably a consequence of the hack causing a massive failure (PHP or MySQL or Apache went belly up). Clean up the hack first. Clean out the core files. If you get one once in a blue moon, just erase it. Even the smoothest running system hiccups once in a while. If you get them often enough to be bothersome, report them to your host tech support. They'll want to look at them and see what's failing and why.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...