Author Topic: Exploit info  (Read 9452 times)

0 Members and 1 Guest are viewing this topic.

Offline Michal

  • Newbie
  • *
  • Posts: 19
    • View Profile
Exploit info
« on: October 25, 2011, 04:31:59 PM »
I noticed, that  after update some files were changed again, after new repatching I explored my sites and found that there still were left some files like cront.php and some *inc.php (unfortunately I deleted it before I wrote its name :)) with permission 600 and date about 22 august - they were big +- 20k
 

Offline Shawn

  • Newbie
  • *
  • Posts: 40
    • View Profile
Re: Exploit info
« Reply #1 on: October 27, 2011, 05:28:37 AM »
My host is still trying to remove this exploit too...  they still aren't sure how tp works because of the encoding so they aren't sure what is legit and malicious activity.  for instance: However, the only place that appears to be suspect is the tradepulse script. Why the in.php is calling exec, I don't know.

Offline Kildoozer

  • Administrator
  • Sr. Member
  • *****
  • Posts: 420
    • View Profile
Re: Exploit info
« Reply #2 on: October 27, 2011, 12:09:33 PM »
2 Shawn: answered to email.
About exploits and 'malicious activity'. All latest versions (both ZO and IC powered) have a built-in files scanner. Scanner can be run only if you visit your admin area. If you updated your copies via network mass-updater, and haven't visit admin area of each site, scanner WON'T run.

I put this scanner to menu in the new, not released yet build, so you'll be able to scan/fix all files at any time.

But I repeat, latest builds can't be infected if you visit (at least once) your admin area after update.

If you still suspect that something goes wrong, contact me (kildoozer@scriptpulse.com) with Tp's access info, I'll help asap.