I have three OSCommerce sites running on a reseller UNIX account.
I discovered that there were strange PHP files on all three installations. I have deleted the files, and kept one locally to poke around in.
This seems to be quite common and is caused by having 777 permissions on the folders that need to have images etc uploaded to them. I have changed them to 755 for the time being, but now OSCommerce can't write to these folders, so customers can't add product photos.
Set the permissions on ALL folders to 755. If your host has PHP installed as CGI through suExec (the proper method), then your site will run fine this way. If they have PHP installed as a module, you will get a warning from oscommerce saying that it is unable to write to the images folder. Setting permissions back to 777 will make the message go away but it will leave you open to an attack.
Does this make sense? Is reseller hosting with this configuration generally available?
My host has told me that customers should use cpanel or FTP to upload product images, which I've told them is not an option. Waiting for their reply.
Using 775 won't help unless the directory has a group ownership of the nobody (or whatever username Apache is running under) user. If the group of the directory is changed to nobody and the permissions are set to 775, then you still really haven't gained anything. If PHP is running as the nobody user on your account, then it is running as the nobody user for every other account on that server.
Best bet is to run PHP through a suexec wrapper, like suphp. This has to be done by your webhost because it has to apply to all of the accounts on the server. Then permissions of 755 on your images directory will work.
However, do note that if suphp is used, this does not by itself prevent these files from appearing on your account. If YOUR website has an old and outdated script that is vulnerable to attack then your files and directories being owned by your username and set to 755 will still allow someone to hijack your files through YOUR account. All suphp does is prevent someone from another account on the hosting server accessing your account and placing files in open directories. With suphp you are still responsible, maybe even more so, for keeping your scripts up-to-date.