Jump to content



Photo
- - - - -

hacked i would guess


This topic has been archived. This means that you cannot reply to this topic.
20 replies to this topic

#1   JDREMM

JDREMM
  • Members
  • 6 posts

Posted 22 September 2010 - 14:45

right. i am a total noob... this starts the convo off pretty well i know... i made this site... well actually this is the first thing i have ever done web wise. we had a really crap website. (yes crapper than this one). so i followed the instructions and having never done anything like this before i normally just surf youtube thats about it...

anywyas on to the reason for my problem... when you try and go to my store now (it was fine for about a month) it freeks out and says there is malicious software on it or something liek that...

i know this problem has been addressed it would be easier if someone would put it in terms like the install precedures so i could fix it. or can someone PM me who would be interested to fixing this for me... :S

i knowi will get a lil abuse for being such a noob. but i thought i would ask anyways.

cheers

John

#2   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 22 September 2010 - 16:23

John,

You will need to clean out the malicious code and files and then use webmaster tools to submit the clean site to google for re-evaluation.

Look for any files that are NOT part of the standard osCommerce download and remove them. Then, check each osCommerce file for scripts and code that redirect your traffic off the site.



Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#3   JDREMM

JDREMM
  • Members
  • 6 posts

Posted 23 September 2010 - 08:18

ok thanks /biggrin.gif' class='bbc_emoticon' alt=':D' /> will try and give that a go...

i just realised that i didnt actually post the site if anyone wanted to look at the code...

store.khouse.org.uk/

its a small christian book store any light shed would be awesome.

thanks guys

Edited by Jan Zonjee, 03 October 2010 - 07:28.


#4   germ

germ
  • Members
  • 13,921 posts

Posted 23 September 2010 - 10:48

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#5   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 03 October 2010 - 04:49

John,

I can see your site is now on the 'Attack Site' List. You need to clean it and then re-submit it for indexing so you are removed from that list.



Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#6   germ

germ
  • Members
  • 13,921 posts

Posted 03 October 2010 - 11:38

There are two new hack files.

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).
/ohmy.gif' class='bbc_emoticon' alt=':o' />

If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#7   JDREMM

JDREMM
  • Members
  • 6 posts

Posted 05 October 2010 - 09:37

There are two new hack files.

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).
/ohmy.gif' class='bbc_emoticon' alt=':o' />

If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).



REALLY!!! omg!!! yeah i am back ! alas i am not actually a web guy i just work for a charity and followed the steps on this site to get us a shop to sell stuff on... yeah any info pm'd or given woudl be REALLY awesome! or email direct to johnandrachel@matsen.co.uk if thats a better idea i dont know /biggrin.gif' class='bbc_emoticon' alt=':D' />

cheers

#8   Motive

Motive
  • Members
  • 6 posts

Posted 07 October 2010 - 01:04

OK so I got hit also. In my case files were added to server and my admin panel was open to the world. I have concerns about going back with osCommerce. I am installing it from my hosting company, Netfirms. What do I need to do to lock this down? Also, I don't like having the credit card info stored indefinitly. Can I dump it after processing an order?

I have since deleted all files from the server and have done a fresh install. Whats next?

#9   germ

germ
  • Members
  • 13,921 posts

Posted 07 October 2010 - 01:31

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.
/ohmy.gif' class='bbc_emoticon' alt=':o' />

As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

To secure your site visit the link below:

How to Secure Your Site
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#10   JDREMM

JDREMM
  • Members
  • 6 posts

Posted 08 October 2010 - 10:20

due to awesome help i think i got this sorted... thanks guys will report back when i know... one more... how do i resubmitt to get the mal software notice off my site now that its fixed /tongue.gif' class='bbc_emoticon' alt=':P' />

#11   FIMBLE

FIMBLE
  • Members
  • 6,608 posts

Posted 08 October 2010 - 10:50

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.
[img]http://forums.oscommerce.com/public/style_emoticons/default/ohmy.gif[/img]

As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

To secure your site visit the link below:

How to Secure Your Site



unfortunately it does .... Orders table `cc_number`
recorded if someone used the test CC (not for production) module.
It records everything, which is a very dangerous thing to do!!
I hope it is removed in 2.3
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#12   germ

germ
  • Members
  • 13,921 posts

Posted 08 October 2010 - 13:33

unfortunately it does .... Orders table `cc_number`
recorded if someone used the test CC (not for production) module.
It records everything, which is a very dangerous thing to do!!
I hope it is removed in 2.3
Nic

D*mn!
/ohmy.gif' class='bbc_emoticon' alt=':o' />

Sometimes the wheels of change turn very slowly....
/whistling.gif' class='bbc_emoticon' alt=':-"' />
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#13   Motive

Motive
  • Members
  • 6 posts

Posted 09 October 2010 - 00:13

Yep and Im the noob that used it.

#14   Motive

Motive
  • Members
  • 6 posts

Posted 09 October 2010 - 00:17

Yep and Im the noob that used it.


So the version Im on is osCommerce 2.2-MS2. Is this good or do I need to update files as I am securing? Also the hosting company I use has osCMax. Is osCMax more secure or what?

Edited by Motive, 09 October 2010 - 00:19.


#15   Inesyta

Inesyta
  • Members
  • 14 posts

Posted 20 October 2010 - 17:37

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file



#16   Inesyta

Inesyta
  • Members
  • 14 posts

Posted 20 October 2010 - 17:53

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file



Hello,
I got very similar files on my website public_html and in images folder as well:
goog1e_analist_add15da98d3a
goog1e_analist_10adc48720b439
goog1e45361ec6937e93 and many more.
I deleted them, but I am worry about maybe they left somewhere on my website.
Maybe you could help me to destroy them, because sometimes when I login to my oscommerce my PC anti-virus shows "blocked trojan", so I think these files are still in my website somewhere.
Please help me.

#17   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 20 October 2010 - 17:58

Inesa,

That particular is known for adding a back door to your site, which gives them access as long as the backdoor is present. I suggest you look at each file for malicious code and remove all files that are not oscommerce files. And, above ALL else........secure your website by reading the security forums.


Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#18   SonshineTN

SonshineTN
  • Members
  • 6 posts

Posted 18 November 2010 - 04:16

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file


How do I make my .htaccess file secure? I have read about blocking certain countries but I don't know how to do that. Help!? Thanks! Also, if you could tell me which countries should be blocked. I read about Russia but don't know any others.

#19   Wayne Weedon

Wayne Weedon
  • Members
  • 77 posts

Posted 18 November 2010 - 15:38

How do I make my .htaccess file secure? I have read about blocking certain countries but I don't know how to do that. Help!? Thanks! Also, if you could tell me which countries should be blocked. I read about Russia but don't know any others.


I have this in my .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
#

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

None of those countries I would imagine selling to considering my products markets.

There are a few more possibly.

#20   SonshineTN

SonshineTN
  • Members
  • 6 posts

Posted 05 December 2010 - 14:46

I have this in my .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
#

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

None of those countries I would imagine selling to considering my products markets.

There are a few more possibly.



How do I add these countries to the .htaccess for blocking? Thanks!