Today, I logged into one server to have a rummage and see if I could free up some disk space… on a whim I do an ‘ls’ of /tmp and find a file called ‘att1.txt’. Hmm. Lets take a look – ‘head att1.txt’ gave :
#!/usr/bin/perl
# ShellBOT
# 0ldW0lf – oldwolf@atrix-team.org
# – www.atrix-team.org
Ah, pants. Timestamp on the file matches a request to a Zen-cart instance :
... POST http://....../admin/record_company.php/password_forgotten.php?action=insert ... POST http://..../index.php?main_page=products_all/admin/record_company.php/password_forgotten.php?action=insert
... GET /index.php?main_page=products_all/images/6e072.php?site=http://...../index.php?main_page=products_all/images /6e072.php
It turns out there was a security update for Zen-cart sometime ago – see http://www.zen-cart.com/forum/showthread.php?t=130161
Suffice to say the various attackers had left a few files on the filesystem; thanks to ‘find -user www-data’ these were easy to find and remove. Interestingly Zen-Cart suggests you rename the ‘admin’ directory – I wonder how many people don’t (in this case) or do it to e.g. ‘admin.old’ …
*sigh*
Did I not tell you how I hated ZenCart
Yes… blame the wife….