Link to home
Start Free TrialLog in
Avatar of betagirl
betagirl

asked on

urgent - osCommerce suddenly throwing errors - not sure if hacked

Hello - I have started receiving a variety of random errors (they seem random to me) that are intermittent - do not always occur - and often clear upon one or more page refreshes. I've listed some below:

########### ERRORS ##########################
Warning: Unexpected character in input: ' in /usr/local/apache/htdocs/catalog/includes/functions/general.php on line 54

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/catalog/includes/functions/general.php:54) in
/usr/local/apache/htdocs/catalog/includes/functions/general.php on line 1326

Fatal error: Unknown function: àéG@ÂF() in /usr/local/apache/htdocs/catalog/includes/languages/english.php on line 191

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/catalog/includes/functions/general.php:54) in /usr/local/apache/htdocs/catalog/includes/functions/general.php on line 1326

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /usr/local/apache/htdocs/catalog/includes/functions/general.php:54) in /usr/local/apache/htdocs/catalog/includes/functions/sessions.php on line 128

Warning: main(pub/): failed to open stream: No such file or directory in /usr/local/apache/htdocs/catalog/admin/includes/application_top.php on line 44

Fatal error: main(): Failed opening required 'pub/' (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/catalog/admin/includes/application_top.php on line 44

Fatal error: main(): Failed opening required 'tep_db_nufilenames.php' (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/catalog/includes/application_top.php on line 57

Warning: main(type): failed to open stream: No such file or directory in /usr/local/apache/htdocs/catalog/includes/application_top.php on line 57

Fatal error: main(): Failed opening required 'type' (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/catalog/includes/application_top.php on line 57

Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/catalog/includes/application_top.php on line 57
########################

Here are the "offending" lines of code in the pages mentioned in the errors - all seems OK to me and no changes had been made to these files, prior to receiving the errors:

includes/functions/general.php on line 54:
if ($protected == true) {

includes/functions/general.php on line 1326:
setcookie($name, $value, $expire, $path, (tep_not_null($domain) ? $domain : ''), $secure);

includes/functions/sessions.php on line 128:
return session_start();


includes/application_top.php on line 44:
//$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

/includes/application_top.php on line 57:
require(DIR_WS_INCLUDES . 'filenames.php');

-------------------------

I'm really quite baffled and not sure of where to look - particularly at the errors like this one:
Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/catalog/includes/application_top.php on line 57

It seems some random string is getting prepended to the require('filenames.php') and I have no idea how.

Thanks in advance for any assistance!
Avatar of TeRReF
TeRReF
Flag of Netherlands image
You probably have register_globals set to on in your php.ini and do not initialize your vars properly. Which means that script kiddies can assign values to certain vars by passing them via GET or POST.

You should either turn register_globals off, or initialize your vars properly. Be aware, turning register_globals off might stop the application from working at all (some rewriting will be necessary...

Avatar of betagirl
betagirl

ASKER

That's the problem - register_globals needs to be on for this app to work and there is a considerable amount of code in this open source software, so I'm unsure of where to specifically begin in shoring up the initialization of vars.  I'm hoping someone with considerable experience with osCommerce might have experienced something similar and have a fix.  

Thanks so much for your help!
Avatar of TeRReF
TeRReF
Flag of Netherlands image
You're welcome, hope you're able to resolve this proplem soon...
Avatar of betagirl
betagirl

ASKER

TeRReF - a follow up question - you wrote:

"Which means that script kiddies can assign values to certain vars by passing them via GET or POST. " 

I'm trying to imagine how this is being accomplished - specifically so that it is completely random. I've been testing the site all day long and there is no consistent pattern to the errors - no specific actions that bring them on.  Often I can cruise through the store and after 20 clicks or more, still no error.  Close the browser, start again, and then an error pops after just a click or two. Is there possibly a roque script that has been placed on the server? Any ideas as to how I could locate it?  I just took a look through all the files in the directory for the store (including admin) to look for new/changed files based on timestamp - but I'm not finding anything out of order.  

I appreciate any further assistance with this.  I'm not finding anything online that is helpful, which kind of surprises me given the number or osCommerce installations out there.  I'm not sure what I'm missing but I'd really like to get this sorted out for my client.
ASKER CERTIFIED SOLUTION
Avatar of TeRReF
TeRReF
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial