Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Possible Exploit Rate Topic   - - - - -

 
  • mrmem
  • Member
  • Members
  • Join Date: 13-Jul 09
  • 88 posts

Posted 28 April 2017 - 12:05 AM #1

Back in december there was an exploit in the mailerphp file  which was mentioned on here.

We had changed the files after being exploited. Supposedly every thing was clean. 

Today we saw someone break in an place a small paypal order and then delete it. We checked the logs and below were what he went through. His IP was 192.160.102.164 which we blocked .

We renamed our admin which is why i let it be seen below.

I noticed the  public_html/sph.php? file as something i hadent seen before.

I was going to check what was in it and just as mysteriously it was gone.

 

Im not sure how they got in as im the only one with admin prviledges or knows any of the passwords.

I changed cpanl, root,, admin passwords in the meantime.

 

Also i had hosting company look into it and they said this file was comprmised.

 

/home/justcommon/public_html/addons/data_feeds/controllers/admin/exim.php

 

They changed the permissions to 000 for it.

 

I am currently on 2.0.12

HOw do i find replace contents of that file with the original.

 

Also should i bring thi up in the help desk.

Odd thing is im the one where cusomters couldnt pay with paypal and the helpdesk

said my paypal..php was missing some lines and sent me the original file.

Paypal started working since then but then this just happened few days later.

Anyone 

 

 

 

/addons/data_feeds/controllers/admin/exim.php?g
/addons/data_feeds/controllers/admin/exim.php?g
/
/skins/default_blue/customer/print.css
/js/ajax.js
/skins/default_blue/customer/styles.css
/js/core.js
/skins/default_blue/customer/dropdown.css
/lib/jquery/jquery.js
/skins/default_blue/customer/images/icons/favicon.ico
/index.php
/addons/reward_points/js/func.js
/skins/default_blue/customer/styles.base.css
/skins/default_blue/customer/images/icons/icon_delete_small.gif
/skins/default_blue/customer/images/icons/filled_cart_icon.gif
/skins/default_blue/customer/images/icons/filled_cart_list_icon.gif
/skins/default_blue/customer/images/justcommonscom.gif
/skins/default_blue/customer/images/icons/go.gif
/skins/default_blue/customer/images/top_tools_delim.gif
/skins/default_blue/customer/images/top_menu_delim.gif
/images/banner/paymethodsaccepted.jpg
/skins/default_blue/customer/images/icons/cart_arrow.gif
/skins/default_blue/customer/images/sidebox_delim.gif
/skins/default_blue/customer/images/sb_title_bg.gif
/index.php?dispatch=statistics.collect
/index.php?dispatch=categories.view&category_id=6168
/skins/default_blue/customer/images/icons/sort_asc.gif
/skins/default_blue/customer/images/icons/breadcrumbs_arrow.gif
/skins/default_blue/customer/images/icons/icon_close.gif
/js/exceptions.js
/images/no_image.gif
/index.php?dispatch=statistics.collect
/addons/data_feeds/controllers/admin/exim.php?g
/addons/data_feeds/controllers/admin/exim.php?g
/sph.php?mode=login
/admin5511.php
/index.php?dispatch=categories.view&category_id=4742
/index.php?dispatch=statistics.collect
/index.php?dispatch=checkout.cart
/index.php?dispatch=checkout.checkout

 



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3578 posts

Posted 28 April 2017 - 01:41 AM #2

From what I can tell is there is no /addons/data_feeds/controllers/admin/exim.php in 2.0.12.  There is however a /addons/data_feeds/controllers/admin/exim.post.php.

 

It sounds like you need to do a complete file compare.



 
  • mrmem
  • Member
  • Members
  • Join Date: 13-Jul 09
  • 88 posts

Posted 28 April 2017 - 03:19 AM #3

Yes, i have the exim.post.php file also.

 

Maybe ill download a copy of the corrupt one first before i  delete it just in case .

Guess cant trust the modified date as would have thought it would be recent but date on the  file is same as the others back in 2010.

Asked the help desk to send me the original file if there is one? Lets see what they say.

Is there a way i can compare files from an original old version as looking at motified dates of files dont seem to help.

I think this all started with the mailerphp file exploit back in December as the fake order that was placed today  was same email address as fake order one placed back in december.

 

Thank you 



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3578 posts

Posted 28 April 2017 - 01:28 PM #4

It's a very time consuming process but what I do is I create a fresh install then use a file comparison software to compare the fresh install to the original install.



 
  • mrmem
  • Member
  • Members
  • Join Date: 13-Jul 09
  • 88 posts

Posted 29 April 2017 - 06:41 AM #5

Looking through directories i thought this  also looked suspicious

 

/public_html/addons/rma/addon.php

 

Anyone know if this file  exists in 2.0.12



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3578 posts

Posted 29 April 2017 - 03:50 PM #6

Not from what I can tell.  There is an addon.xml though.



 
  • mrmem
  • Member
  • Members
  • Join Date: 13-Jul 09
  • 88 posts

Posted 30 April 2017 - 03:12 PM #7

Yes , I have a addon.xtl. I deleted the file /public_html/addons/rma/addon.php

but got errors   /home/justcomm/public_html/index.php on line 25

 

Then looked at my index.php file and found that it points to the rma/addon.php.

 As thinking i should either delete that line also or 

maybe  it should be addon.xml instead.

 

would appreciate if you can tell me what your index.php looks like.

Beleive all this was dont back in Dec. when the mailer.php was discovered so maybe others should look and see if they have

any of these files.

 

Again thank you for your time and help as its greatly apprecaited.

 

Below is copy of my index.php file

 

<?php
/***************************************************************************
* *
* Copyright © 2009 Simbirsk Technologies Ltd. All rights reserved. *
* *
* This is commercial software, only users who have purchased a valid *
* license and accept to the terms of the License Agreement can install *
* and use this program. *
* *
****************************************************************************
* PLEASE READ THE FULL TEXT OF THE SOFTWARE LICENSE AGREEMENT IN THE *
* "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE. *
****************************************************************************/


//
// $Id: index.php 8051 2009-10-02 12:54:14Z alexions $
//

define('AREA', 'C');
define('AREA_NAME' ,'customer');

require dirname(__FILE__) . '/prepare.php';
require dirname(__FILE__) . '/init.php';
include('addons/rma/addon.php');
define('INDEX_SCRIPT', Registry::get('config.customer_index'));

fn_dispatch();

?>



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3578 posts

Posted 30 April 2017 - 05:33 PM #8

The line include('addons/rma/addon.php'); does not belong in the index.php file.

<?php
/***************************************************************************
*                                                                          *
*    Copyright (c) 2009 Simbirsk Technologies Ltd. All rights reserved.    *
*                                                                          *
* This  is  commercial  software,  only  users  who have purchased a valid *
* license  and  accept  to the terms of the  License Agreement can install *
* and use this program.                                                    *
*                                                                          *
****************************************************************************
* PLEASE READ THE FULL TEXT  OF THE SOFTWARE  LICENSE   AGREEMENT  IN  THE *
* "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE.            *
****************************************************************************/


//
// $Id: index.php 8051 2009-10-02 12:54:14Z alexions $
//
define('AREA', 'C');
define('AREA_NAME' ,'customer');

require dirname(__FILE__) . '/prepare.php';
require dirname(__FILE__) . '/init.php';

define('INDEX_SCRIPT', Registry::get('config.customer_index'));

fn_dispatch();

?>


 
  • mrmem
  • Member
  • Members
  • Join Date: 13-Jul 09
  • 88 posts

Posted 30 April 2017 - 06:01 PM #9

Thank you again.

Will delete the file and erase that line.

hopefully it isnt attached any where else but will find out if i get any more errors.