The host of a server I work on just today turned off the site after x-cart was installed because the following commands were issued on the server and they think it's a security breach:
ls -la 2>&1
id 2>&1;whoami 2>&1;
id 2>&1
mkdir 123
pwd 2>&1
echo 1
The server is running linux (of some kind, not sure what..) and there is no SSH access. I'm not 100% sure it's x-cart that's issued these commands, although looking through the setup script I can see there are a few commands that may explain a few of these in xcheck.php:\[code\]@exec( "echo 1", $o, $e);@exec( $this->test." 2>&1", $this->data, $code);\[/code\]However, I grepped the entire source of the shop dir (and a couple of other x-cart files) for 'whoami' and 'id', and could not find anything.The host (and the person I'm working for) need to be fairly sure it's not been compromised.I traced the code back as far as I could, but couldn't find anything really that implies running whoami and id.I'm 80% sure it's just x-cart, but can anyone please confirm or at least bolster my suspicions?Note: I did not install x-cart on the server, someone else working on the site did (there are three people (loosely) involved.)Cheers!John.
