I've had my demo site hacked and forwarded to another site. I've sorted it out, it was a case of removing an iframe from index.php.
I'm curious as to how it happened. Files were placed in the download folder, despite this function being disabled to the demo user.
There are other OC sites on this server, so I don't think it's the server that was compromised, just getting access to the admin area makes the demo install compromisable.
I've posted server logs below;
Code: Select all
115.135.122.150 - - [04/Jan/2013:13:18:08 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:09 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:18:14 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:16 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:19 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:20 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
180.76.5.163 - - [04/Jan/2013:13:35:35 +0000] "GET /index.php?route=product/category&path=33&sort=p.model&order=ASC HTTP/1.1" 200 28781 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:52 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:55 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:36:58 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:00 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:03 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:04 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:38:18 +0000] "GET /index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:19 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:20 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:29 +0000] "GET /download/readme.jpg.82d88ed2038c94b2c47c9a1a671c2822 HTTP/1.1" 404 341 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"