20 replies to this topic

[JDREMM]

right. i am a total noob... this starts the convo off pretty well i know... i made this site... well actually this is the first thing i have ever done web wise. we had a really crap website. (yes crapper than this one). so i followed the instructions and having never done anything like this before i normally just surf youtube thats about it...

anywyas on to the reason for my problem... when you try and go to my store now (it was fine for about a month) it freeks out and says there is malicious software on it or something liek that...

i know this problem has been addressed it would be easier if someone would put it in terms like the install precedures so i could fix it. or can someone PM me who would be interested to fixing this for me... :S

i knowi will get a lil abuse for being such a noob. but i thought i would ask anyways.

cheers

John

[DunWeb]

John,

You will need to clean out the malicious code and files and then use webmaster tools to submit the clean site to google for re-evaluation.

Look for any files that are NOT part of the standard osCommerce download and remove them.  Then, check each osCommerce file for scripts and code that redirect your traffic off the site.



Chris

[JDREMM]

ok thanks will try and give that a go...

i just realised that i didnt actually post the site if anyone wanted to look at the code...

store.khouse.org.uk/

its a small christian book store any light shed would be awesome.

thanks guys

Edited by Jan Zonjee, 03 October 2010 - 07:28 AM.

[germ]

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file

[DunWeb]

John,

I can see your site is now on the 'Attack Site' List.  You need to clean it and then re-submit it for indexing so you are removed from that list.



Chris

[germ]

There are two new hack files.

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).


If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).

[JDREMM]

germ, on 03 October 2010 - 11:38 AM, said:

There are two new hack files.

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).


If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).

REALLY!!! omg!!! yeah i am back ! alas i am not actually a web guy i just work for a charity and followed the steps on this site to get us a shop to sell stuff on... yeah any info pm'd or given woudl be REALLY awesome! or email direct to johnandrachel@matsen.co.uk if thats a better idea i dont know

cheers

[Motive]

OK so I got hit also.  In my case files were added to server and my admin panel was open to the world.  I have concerns about going back with osCommerce.  I am installing it from my hosting company, Netfirms.  What do I need to do to lock this down?  Also, I don't like having the credit card info stored indefinitly.  Can I dump it after processing an order?

I have since deleted all files from the server and have done a fresh install.  Whats next?

[germ]

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.


As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

To secure your site visit the link below:

How to Secure Your Site

[JDREMM]

due to awesome help i think i got this sorted... thanks guys will report back when i know... one more... how do i resubmitt to get the mal software notice off my site now that its fixed

[FIMBLE]

germ, on 07 October 2010 - 01:31 AM, said:

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.
[img]http://forums.oscommerce.com/public/style_emoticons/default/ohmy.gif[/img]

As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

To secure your site visit the link below:

How to Secure Your Site

unfortunately it does .... Orders table   `cc_number`  
recorded if someone used the test CC (not for production) module.
It records everything, which is a very dangerous thing to do!!
I hope it is removed in 2.3
Nic

[germ]

FIMBLE, on 08 October 2010 - 10:50 AM, said:

unfortunately it does .... Orders table   `cc_number`  
recorded if someone used the test CC (not for production) module.
It records everything, which is a very dangerous thing to do!!
I hope it is removed in 2.3
Nic

D*mn!


Sometimes the wheels of change turn very slowly....

[Motive]

Yep and Im the noob that used it.

[Motive]

Motive, on 09 October 2010 - 12:13 AM, said:

Yep and Im the noob that used it.

So the version Im on is osCommerce 2.2-MS2.  Is this good or do I need to update files as I am securing?  Also the hosting company I use has osCMax.  Is osCMax more secure or what?

Edited by Motive, 09 October 2010 - 12:19 AM.

[Inesyta]

germ, on 23 September 2010 - 10:48 AM, said:

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file

[Inesyta]

germ, on 23 September 2010 - 10:48 AM, said:

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file

Hello,
I got very similar files on my website public_html and in images folder as well:
goog1e_analist_add15da98d3a
goog1e_analist_10adc48720b439
goog1e45361ec6937e93 and many more.
I deleted them, but I am worry about maybe they left somewhere on my website.
Maybe you could help me to destroy them, because sometimes when I login to my oscommerce my PC anti-virus shows "blocked trojan", so I think these files are still in my website somewhere.
Please help me.

[DunWeb]

Inesa,

That particular is known for adding a back door to your site, which gives them access as long as the backdoor is present.  I suggest you look at each file for malicious code and remove all files that are not oscommerce files.  And, above ALL else........secure your website by reading the security forums.


Chris

[SonshineTN]

germ, on 23 September 2010 - 10:48 AM, said:

Hack files in the root folder:

gogle_analist_3d6fa6465727d.php
goog1e1e9163b3ca51bb.php
goog1e40b95b3736ac6e.php
goog1e663023271039ca.php
goog1e72c0c885c9b967.php
goog1e_analist_3d6fa6465727d.php
goog1e_analist_698dbc436d8728.php
google_analist_3d6fa6465727d.php
google_analist_d8ed379f4d946043ceb12458dfc393ac.php

There are probably similarly named hack files in the images folder.

You're suffering from the "admin vulnerablility" hack.

Rename it and secure it with a .htaccess file

How do I make my .htaccess file secure?  I have read about blocking certain countries but I don't know how to do that.  Help!?  Thanks!  Also, if you could tell me which countries should be blocked.  I read about Russia but don't know any others.

[Wayne Weedon]

SonshineTN, on 18 November 2010 - 04:16 AM, said:

How do I make my .htaccess file secure?  I have read about blocking certain countries but I don't know how to do that.  Help!?  Thanks!  Also, if you could tell me which countries should be blocked.  I read about Russia but don't know any others.

I have this in my .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
#

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

None of those countries I would imagine selling to considering my products markets.

There are a few more possibly.

[SonshineTN]

Wayne Weedon, on 18 November 2010 - 03:38 PM, said:

I have this in my .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
#

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

None of those countries I would imagine selling to considering my products markets.

There are a few more possibly.

How do I add these countries to the .htaccess for blocking?  Thanks!