zencart security crapness

Today, I logged into one server to have a rummage and see if I could free up some disk space… on a whim I do an ‘ls’ of /tmp and find a file called ‘att1.txt’. Hmm. Lets take a look – ‘head att1.txt’ gave :

#  ShellBOT
#  0ldW0lf – oldwolf@atrix-team.org
#      – www.atrix-team.org
Ah, pants. Timestamp on the file matches a request to a Zen-cart instance :

... POST http://....../admin/record_company.php/password_forgotten.php?action=insert
... POST http://..../index.php?main_page=products_all/admin/record_company.php/password_forgotten.php?action=insert
... GET /index.php?main_page=products_all/images/6e072.php?site=http://...../index.php?main_page=products_all/images     /6e072.php

It turns out there was a security update for Zen-cart sometime ago – see http://www.zen-cart.com/forum/showthread.php?t=130161

Suffice to say the various attackers had left a few files on the filesystem; thanks to ‘find -user www-data’ these were easy to find and remove. Interestingly Zen-Cart suggests you rename the ‘admin’ directory – I wonder how many people don’t (in this case) or do it to e.g. ‘admin.old’ …



Leave a comment

Your email address will not be published.