Exploit allowing creation of random folders in httpdocs?

Hi,

I'm aware of the domPDF and fckeditor exploits and both my opencart websites have those file removed. However I've recently discovered a random folder on both my both my websites that use opencart (1.4.5 on one and 1.4.9.4 on the other).

The folder seemed to be a modified version of my site that pulled in images from lots of other sites. For example from the google cache (as the folder has now been removed from my site):
http://webcache.googleusercontent.com/s ... ogle.co.uk

Anyone got any ideas how this might have happened? Is there a known exploit that I'm not aware of, or is this something new?

As a precaution I've renamed my admin folder just in case.

Thanks,

Gary

Interesting. Is this folder created in the opencart (shop) folder or general root directory ?
Do you have anything else installed beyond opencart?

check this thread for explanation about DomPDF

The folders appeared in the root of the server.

On one server a modified version of Opencart 1.4.5 is installed in /shop. In the root there is some simple custom stuff.

On the other server it's Unmodified Opencart 1.4.9.4 in the root with Global Mega Options plugin.

It's odd, as I run many domains with the same host, but it's only happened with the two running Opencart. I've got Opencart hosted on another host and it's not happened there. The host company have suggested it might be (two different) compromised FTP passwords that have allowed the upload.

If anyone is interested I've attached the files that were added to one of the servers in a folder called "hek". Within that there was a folder called "coafgiy" which contained about 1000 files (only 1 example included). I think the request URL was hashed and then the code included a file with that hash as a filename.

Does this sound familier to anyone?

Gary