My hosting provider has notified me of malware that imunify has detected. On my ocs. I can clean these files, but I would like to know where the vulnerability is. Perhaps there are experts who can tell me or there are those who have encountered similar cases. I’m not sure what is worth uploading the code of the files, I will only indicate their names.
It’s hard to know without more information, but the likeliest attack vector will be an incorrectly configured files_dir (see config.inc.php). Is your files_dir located inside your web root? If so, a malicious user could upload a .phtml file as a submission document, then guess the URL to the files directory and invoke it directly through the web server to execute it. For this reason it’s important to put the files_diroutside the web root, or protect it from direct access using an .htaccess file or similar mechanism.
However, the existence of a .phtml file inside the files_dir is not evidence of a successful attack; it’s possible that a malicious user was attempting to guess a direct URL but was not able to.
Public Knowledge Project Team
Hello @asmecher! As always, thanks for your prompt reply! The config settings are by default, the directory with the files is located in the OCS directory. At the moment, I determined by the access log who did it, and added 2 IPs to the ban list.
I did not delete these two files, but removed the permissions.
I was going to delete them, but I thought you might want to take a look at this. If you have the time and desire to look at this, I can provide you with access to these 2 files in the web form and / or throw the files themselves directly. I can also provide the logs of this person’s actions. I’m not sure, but maybe this will help avoid similar cases for other community members.