Is this a backdoor?

[peakr8]

Hi.

 

We have a bit of a problem.

 

We have a penny auction php script that we have been having a few problems with. This script was originally a free script that was given to us, and we have been having some problems with data being eroniously deleted from the database. The problem is that the 'autobidder' data has been getting erased and thus auctions ending..

 

The strange thing is, we have had a lot of coders look at the autobidder function script and not a single one can find the problem.

 

The strangest thing of all is the fact that we have sold this script (We are designers) to about 15 clients, giving each one a new design. Now, everything went very well with all clients, then auctions began closing all of a sudden, and all our clients developed the same problem at the exact same time.

 

We originally thought that this may have been a result of a server module upgrade perhaps that conflicted with the way the script was set up. So we done many things such as write cronjobs etc... everything to try to keep everything running.

 

But as we tested and got positive results, a few weeks later, the whole thing started happening again, but this time, all autobidder data was being deleted as well..

 

We are now starting to think 'BACKDOOR' attacks...

 

There was a very dubious Thai programming company who had the script before us, and they seem to be selling the 'fix' for a laughable amount of money, we are talking 3 X the amount we sell it for, and that is with a 2 week design work on it.

 

I am now suspicious that this company has doctored the script so they can either access it, or run a file or files to delete the data or whatever. I am a designer and not a coder.

 

However, i managed to find some very suspicious code in two files that seems to connect to the database, also seems to ask for admin login and also includes config. it also has some command that includes the words 'Rankarthai_member' with rankarthai being the actual dubious company that is supplying the 'fix'.

 

This code is in a structure that I find suspicious as it is

 

admin_office/fckeditor/editor/filemanager/browser/default/del_picture.php

 

and

 

admin_office/fckeditor/editor/user/m_webboard.php

 

 

I am attaching both files. So people can have a look at that code..

 

I will be happy to pay someone if they can help us search and destroy the problem.

 

There is no doubt in my mind that rankarthai have distributed this script for free knowing that they can make a lot of money selling a repair to a problem they have created. Problem is, it has caused a lot of chaos and lost money and credibility for not only us, but other people not to mention our clients.

 

By the way... There isn't even a web board in the script.

 

Thanks for coming to look

 

[attachment deleted by admin]

[requinix]

There's a lot of SQL injection in there. In both files. Besides that, Del_Picture.php can delete virtually any file on the server by setting ?Del= appropriately. There's also XSS vulnerabilities in m_webboard.php with $User and $SearchBoard.

 

I don't see any explicit backdoors, but having the source code makes it so much easier to attack the scripts.

[ManiacDan]

I didn't look at the code (mostly because I trust reqinix) but I found this odd:

This script was originally a free script that was given to us

[...]

we have sold this script (We are designers) to about 15 clients

It's possible that it's illegal for you to sell this script and the authors are striking back at you.  Possible, but not very likely.  Given what requinix said, they don't have the skills to attack you, but it's still a thought.  Was the script "free" in that it came with absolutely no copyright or licensing restrictions?

[peakr8]

The script has no copyright at all. It was totally free and was given to us by someone who said they got it from rankathai (the supposed developer). Strange that the file shows rankarthai (notice the extra 'r')so it probably couldn't be found using powergrep or something.