Hello,
The host of a server I work on just today turned off the site after x-cart was installed because the following commands were issued on the server and they think it's a security breach:
- ls -la 2>&1
- id 2>&1;whoami 2>&1;
- id 2>&1
- mkdir 123
- pwd 2>&1
- echo 1
The server is running linux (of some kind, not sure what..) and there is no SSH access. I'm not 100% sure it's x-cart that's issued these commands, although looking through the setup script I can see there are a few commands that may explain a few of these in xcheck.php:
@exec( "echo 1", $o, $e);
@exec( $this->test." 2>&1", $this->data, $code);
However, I grepped the entire source of the shop dir (and a couple of other x-cart files) for 'whoami' and 'id', and could not find anything.
The host (and the person I'm working for) need to be fairly sure it's not been compromised.
I traced the code back as far as I could, but couldn't find anything really that implies running whoami and id.
I'm 80% sure it's just x-cart, but can anyone please confirm or at least bolster my suspicions?
Note: I did not install x-cart on the server, someone else working on the site did (there are three people (loosely) involved.)
Cheers! John.