Possible Exploit

Back in december there was an exploit in the mailerphp file which was mentioned on here.

We had changed the files after being exploited. Supposedly every thing was clean.

Today we saw someone break in an place a small paypal order and then delete it. We checked the logs and below were what he went through. His IP was which we blocked .

We renamed our admin which is why i let it be seen below.

I noticed the public_html/sph.php? file as something i hadent seen before.

I was going to check what was in it and just as mysteriously it was gone.

Im not sure how they got in as im the only one with admin prviledges or knows any of the passwords.

I changed cpanl, root,, admin passwords in the meantime.

Also i had hosting company look into it and they said this file was comprmised.


They changed the permissions to 000 for it.

I am currently on 2.0.12

HOw do i find replace contents of that file with the original.

Also should i bring thi up in the help desk.

Odd thing is im the one where cusomters couldnt pay with paypal and the helpdesk

said my paypal..php was missing some lines and sent me the original file.

Paypal started working since then but then this just happened few days later.


	<p> </p>

From what I can tell is there is no /addons/data_feeds/controllers/admin/exim.php in 2.0.12. There is however a /addons/data_feeds/controllers/admin/exim.post.php.

It sounds like you need to do a complete file compare.

Yes, i have the exim.post.php file also.

Maybe ill download a copy of the corrupt one first before i delete it just in case .

Guess cant trust the modified date as would have thought it would be recent but date on the file is same as the others back in 2010.

Asked the help desk to send me the original file if there is one? Lets see what they say.

Is there a way i can compare files from an original old version as looking at motified dates of files dont seem to help.

I think this all started with the mailerphp file exploit back in December as the fake order that was placed today was same email address as fake order one placed back in december.

Thank you

It's a very time consuming process but what I do is I create a fresh install then use a file comparison software to compare the fresh install to the original install.

Looking through directories i thought this also looked suspicious


Anyone know if this file exists in 2.0.12

Not from what I can tell. There is an addon.xml though.

Yes , I have a addon.xtl. I deleted the file /public_html/addons/rma/addon.php

but got errors /home/justcomm/public_html/index.php on line 25

Then looked at my index.php file and found that it points to the rma/addon.php.

As thinking i should either delete that line also or

maybe it should be addon.xml instead.

would appreciate if you can tell me what your index.php looks like.

Beleive all this was dont back in Dec. when the mailer.php was discovered so maybe others should look and see if they have

any of these files.

Again thank you for your time and help as its greatly apprecaited.

Below is copy of my index.php file

* *
* Copyright (c) 2009 Simbirsk Technologies Ltd. All rights reserved. *
* *
* This is commercial software, only users who have purchased a valid *
* license and accept to the terms of the License Agreement can install *
* and use this program. *
* *

// $Id: index.php 8051 2009-10-02 12:54:14Z alexions $

define('AREA', 'C');
define('AREA_NAME' ,'customer');

require dirname(__FILE__) . '/prepare.php';
require dirname(__FILE__) . '/init.php';
define('INDEX_SCRIPT', Registry::get('config.customer_index'));



The line include('addons/rma/addon.php'); does not belong in the index.php file.

// $Id: index.php 8051 2009-10-02 12:54:14Z alexions $
define(‘AREA’, ‘C’);
define(‘AREA_NAME’ ,‘customer’);

require dirname(FILE) . ‘/prepare.php’;
require dirname(FILE) . ‘/init.php’;

define(‘INDEX_SCRIPT’, Registry::get(‘config.customer_index’));



Thank you again.

Will delete the file and erase that line.

hopefully it isnt attached any where else but will find out if i get any more errors.