[development] Fully patched site hacked and cloaked

Jeff Greenberg jeff at ayendesigns.com
Wed Jan 27 18:57:12 UTC 2010

On 1/27/2010 12:43 PM, Matt Chapman wrote:
> Also FTR, I've seen a similar (but not quite identical) sort of attack
> on a xcart installation on another host.
I've seen the osc / xcart attack. They created a subdirectory in the 
image directory... /yahoo ... and put an index.php file in it. The file 
checked the query string for a value. If it wasn't there, it would 
simply display an osc heading. If the value was there, it grabbed a 
base64 value from the query string, decoded it, and called eval against it.

More information about the development mailing list