In our apache error log (/usr/local/apache/logs/error_log) for one of our servers we are seeing a shell command running quite often which is throwing an error, it looks like this:
sh: list_price: command not found
list_price is a field we use in an ecommerce system on over 50 sites and certainly nothing suspicious. The issue is that we have no idea how this is being passed to the shell - we have checked all occurrences of exec() and system() and we just cannot see how this would be getting passed through. Is there any way we can detect more easily what the source of this could be as there is nothing more meaningful being output that what i put above. FYI this is on a server running CentOS 5 and the sites in question are all PHP.
Backticks ( ` ) have a special meaning in PHP. They are the Execution Operators (sounds grim doesn't it). When used outside a string as a text delimiter, it execute the command between them. For the following example:
To stop the behaviour, you simply need to put it between single quotes ( ' ) or quotes ( " ):
Now, you probably did something as such: (Lazy code below, not safe against sql injection, but is just an example).
But forgot to put quotes around it, leading to 2 things:
Search your code base for any reference of list_price and make sure it is between single quotes or quotes.
Are you using backticks around list_price, without quoting them? This could be your problem.
You must be overlooking something, no offense meant. Maybe you can try creating the list_price shell script so it can write some logfile as to how and when it was executed?