Came across a couple of ‘extra’ files added to a client’s osC installation by XSS

ext/modules/payment/paypal/verify_ipn.php

This one contained a nice little virus package and is not to be confused with the genuine osC file that you may have on your site :

ext/modules/payment/paypal_ipn/verify_ipn.php

On the same site there was a file /images/ind.php that had been dropped in there – there should be nothing in the /images/ folder for osC other than images and possible a .htaccess file – worth having a look.

The images folder is easy for a hacker to drop a file into as the permissions on there may be set to 777 – you can try changing that to 755 which works on some hosting servers – but on others it seems to be that 777 is needed.

If you are set to 777 and a script file is placed into the images folder then you could try and stop it from running by using the .htaccess script listed here – like one contributor says on there it won’t stop the hack taking place but at least it will stop the blasted file from running.