Find content
Male
geoffreywalton, on 16 April 2011, 15:49, said:
Chris
Follow this link for more info on how to disinfect the site and how to harden it against future attacks.
http://forums.oscommerce.com/user/184805-geoffreywalton/page__tab__aboutme
HTH
G
Follow this link for more info on how to disinfect the site and how to harden it against future attacks.
http://forums.oscommerce.com/user/184805-geoffreywalton/page__tab__aboutme
HTH
G
Deleting the files won't cover it. Restoring the files won't cover it.
Since they're going to be back until you plug whatever hole they got through you might want to use your site as a honeypot and post whatever results you find.
Fix your site up first then place an htaccess file in the images dir with something like
RewriteEngine on
RewriteRule \.(html|htm|php|cgi|pl)$ /images/pixel_trans.gif [R,L]
You can make that any image name so you can get an idea how many times it gets hit in the logs.
That will make their exploit unusable
and watch your logs for exactly how they got in.
My money's on the admin/login.php hack
Looks something like this in the logs
94.142.129.147 - - [04/Sep/2009:22:36:03 -0500] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 46617
174.129.177.51 - - [23/Oct/2009:17:33:22 -0500] "GET /admin/orders.php/login.php HTTP/1.1" 200 37728
74.220.219.147 - - [10/Nov/2009:10:33:14 -0600] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327
66.96.128.60 - - [09/Dec/2009:23:08:56 -0600] "POST /admin/file_manager.php/login.php?a=1&action=save HTTP/1.1" 200 16552
207.115.80.2 - - [19/Dec/2009:16:53:41 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
