views:

24

answers:

2

Hello,

The host of a server I work on just today turned off the site after x-cart was installed because the following commands were issued on the server and they think it's a security breach:

  • ls -la 2>&1
  • id 2>&1;whoami 2>&1;
  • id 2>&1
  • mkdir 123
  • pwd 2>&1
  • echo 1

The server is running linux (of some kind, not sure what..) and there is no SSH access. I'm not 100% sure it's x-cart that's issued these commands, although looking through the setup script I can see there are a few commands that may explain a few of these in xcheck.php:

@exec( "echo 1", $o, $e);

@exec( $this->test." 2>&1", $this->data, $code);

However, I grepped the entire source of the shop dir (and a couple of other x-cart files) for 'whoami' and 'id', and could not find anything.

The host (and the person I'm working for) need to be fairly sure it's not been compromised.

I traced the code back as far as I could, but couldn't find anything really that implies running whoami and id.

I'm 80% sure it's just x-cart, but can anyone please confirm or at least bolster my suspicions?

Note: I did not install x-cart on the server, someone else working on the site did (there are three people (loosely) involved.)

Cheers! John.

A: 

It seems some of the guy put some bad code, or at least didn't get the package from a trusted source (You probably won't find the executed commands in source, as they are passed to the script via GET/POST). To Ensure, Download the version you have and check against that file code.

aularon
Thanks, the people who installed it say that it was indeed just the install script.
John Hunt
A: 

I got an email from the people who installed x-cart saying that it was indeed simply from the install procedure. I'd also guess this is correct, so I'm marking this question as closed.

If you think I'm wrong, please say so!

Thanks, John.

John Hunt