4 replies to this topic

[soxx]

hello everybody,

I just came in to leave some information about a trojan, placed into an img-directory at a client's site on 5th of April.

I made some investigations and here is what I found out so far:

The IP-Adress from where the attack has been started: 84.19.186.93

The name of the.php-file which was placed in my img-directory: cache_b0ef000a000.php

I dont know exactly what this file is doing, but it has been classified as an trojan by AVAST. At first I recognized a new directory in my img-directory, called 'korse' in which a hugh amount of other .php-files were installed. I guess the aim is to find out some information about my customers, like bank-data, e-mail adresses and so on ...

I deleted all the files and hope this will cover it, otherwise I will run a backup!

best regards
Chris

[sucuri]

Yes, those attacks are very common... They initially upload a backdoor to your images directory to get full access to the site.

You have to remove those and secure your site to avoid that attacks (renaming admin directory, upgrading oscommerce if possible, etc).

*You may probably also have malware on your site, which you can check here: sitecheck.sucuri.net

thanks,

Edited by Jan Zonjee, 02 June 2011, 17:41.

[geoffreywalton]

Chris

Follow this link for more info on how to disinfect the site and how to harden it against future attacks.

http://forums.oscommerce.com/user/184805-geoffreywalton/page__tab__aboutme

HTH

G

[Iggy]

geoffreywalton, on 16 April 2011, 15:49, said:

Chris

Follow this link for more info on how to disinfect the site and how to harden it against future attacks.

http://forums.oscommerce.com/user/184805-geoffreywalton/page__tab__aboutme

HTH

G

Deleting the files won't cover it. Restoring the files won't cover it.

Since they're going to be back until you plug whatever hole they got through you might want to use your site as a honeypot and post whatever results you find.

Fix your site up first then place an htaccess file in the images dir with something like

RewriteEngine on
RewriteRule \.(html|htm|php|cgi|pl)$ /images/pixel_trans.gif [R,L]

You can make that any image name so you can get an idea how many times it gets hit in the logs.

That will make their exploit unusable

and watch your logs for exactly how they got in.

My money's on the admin/login.php hack

Looks something like this in the logs
94.142.129.147 - - [04/Sep/2009:22:36:03 -0500] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 46617
174.129.177.51 - - [23/Oct/2009:17:33:22 -0500] "GET /admin/orders.php/login.php HTTP/1.1" 200 37728
74.220.219.147 - - [10/Nov/2009:10:33:14 -0600] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327
66.96.128.60 - - [09/Dec/2009:23:08:56 -0600] "POST /admin/file_manager.php/login.php?a=1&action=save HTTP/1.1" 200 16552
207.115.80.2 - - [19/Dec/2009:16:53:41 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

[germ]

How to Secure Your Site