Hi. We have a bit of a problem. We have a penny auction php script that we have been having a few problems with. This script was originally a free script that was given to us, and we have been having some problems with data being eroniously deleted from the database. The problem is that the 'autobidder' data has been getting erased and thus auctions ending.. The strange thing is, we have had a lot of coders look at the autobidder function script and not a single one can find the problem. The strangest thing of all is the fact that we have sold this script (We are designers) to about 15 clients, giving each one a new design. Now, everything went very well with all clients, then auctions began closing all of a sudden, and all our clients developed the same problem at the exact same time. We originally thought that this may have been a result of a server module upgrade perhaps that conflicted with the way the script was set up. So we done many things such as write cronjobs etc... everything to try to keep everything running. But as we tested and got positive results, a few weeks later, the whole thing started happening again, but this time, all autobidder data was being deleted as well.. We are now starting to think 'BACKDOOR' attacks... There was a very dubious Thai programming company who had the script before us, and they seem to be selling the 'fix' for a laughable amount of money, we are talking 3 X the amount we sell it for, and that is with a 2 week design work on it. I am now suspicious that this company has doctored the script so they can either access it, or run a file or files to delete the data or whatever. I am a designer and not a coder. However, i managed to find some very suspicious code in two files that seems to connect to the database, also seems to ask for admin login and also includes config. it also has some command that includes the words 'Rankarthai_member' with rankarthai being the actual dubious company that is supplying the 'fix'. This code is in a structure that I find suspicious as it is admin_office/fckeditor/editor/filemanager/browser/default/del_picture.php and admin_office/fckeditor/editor/user/m_webboard.php I am attaching both files. So people can have a look at that code.. I will be happy to pay someone if they can help us search and destroy the problem. There is no doubt in my mind that rankarthai have distributed this script for free knowing that they can make a lot of money selling a repair to a problem they have created. Problem is, it has caused a lot of chaos and lost money and credibility for not only us, but other people not to mention our clients. View attachment Del_Picture.php View attachment m_webboard.php Thanks to all for coming to look. If anyone needs a bit of access. Please PM me.
Line 21 in Del_picture.php: The exit() is escaped. Normally it would stop the request when the submitted values are wrong, but now it doesn't. Although it doesn't look like that would have any effect. Also, A lot is done by usage of plain cookies, and not by usage of session cookie. I don't think it would be to hard to hack into this, especially if you'd have the source code.