26 replies to this topic

[RMD27]

Hi

I have a major issue with a site hack.

A code keeps getting inserted into all the index.php files on the site front and admin sides.

It seems to take around 12 hours for the code to be reinserted after it has been deleted.

I am out of my depth on this. Any help appreciated.

I have my host working on it and they say the code was inserted back in 2008 but the shop was only installed in 2010.

They looked through the last 48hours of log files and couldn't identify how it is happening.

I have confidence in them but if anyone wants to chime is with their opinion/information/things I can do to help, it would be appreciated.

I have done all the things listed in this forum to secure an OSC site but I was ignorant during the first few months the shop was installed.

I am sure this post exposes how little I know about these things but if anyone has experience/knowledge of this type of issue your help would be appreciated

I can post the script if that is helpful?

[RMD27]

V2.2 RC2

[14steve14]

In the security thread the best recommendation to clean a hacked site is to remove all the files from the server and reinstall a known good clean copy of your site rather than try to clean the code from the current copy.

[RMD27]

Thanks for the reply. At the moment that looks like the solution, issue is because at the moment we/they cannot identify the issue we do not know how far to go back because we do not know when the hack was done.

What are is the likely hood that this was done months ago and is only now making itself known.

Or is it much more likely that the issue was obvious immediately after the attack?

Personally I do not understand how the hack could have been done last week. Most of the security recommendations had been implemented including

Security Pro
IP Trap
Admin Password Protected and renamed
Various Tweeks

and i just found this amongst other things in images/Thumbs.db - is this bad?

���R�o�o�t� �E�n�t�r�y�������������������������������������������������������
������������������������������������
���@������1����������������������������������������������������������������
����������������������������������������������������������C�a�t�a�l�o�g��

[RMD27]

also is 644 correct permission for images? or does it not matter?

[RMD27]

also I have a folder images/thumbnails which has timthumb .txt files being created inside it. i changed permission on the folder to 644. short of deleting it is that the best set up?

[RMD27]

I also have
XSS/ BAD BEHAVIOR BLOCK installed from ages ago, and this is what the report says (ip's shortened)


/phpMyAdmin/scripts/setup.php<br />02-02-12 / 21:48:24 - 61.21
/phpMyAdmin/scripts/setup.php<br />04-02-12 / 15:37:22 - 2007 -
//%0D/scripts/setup.php<br />05-02-12 / 16:23:38 - 88.191
/bad_conduct/<br />06-02-12 / 21:25:11 - 203.1
/phpMyAdmin/scripts/setup.php<br />07-02-12 / 05:30:41 - 210.5-

is that helpful?

[Taipo]

RMD27, on 07 February 2012, 11:01, said:

What are is the likely hood that this was done months ago and is only now making itself known. Or is it much more likely that the issue was obvious immediately after the attack?

The security hole in V2.2 RC2 allows attackers to access your admin directory, therefore at the very least the attack will allow for files to be uploaded into writable directories such as the images directory. So if for example you have added htaccess basic authentication protection to the admin directory, that will have prevented further file uploads, but it will not stop attackers from accessing files that are still currently on your server, for example php files in the images directory, and also code that could be inserted into other site files which allow attackers to then upload more files.

The files they typically upload are often called shell code, or in plain speak, filemanagers. These file manager files are just that, rogue files that act as your typical file manager which give attackers a lot of control over your site files. You have to clean your site out of these files and code additions before sending it live again.

RMD27, on 07 February 2012, 11:01, said:

Personally I do not understand how the hack could have been done last week. Most of the security recommendations had been implemented including

This is what I am talking about above. The initial attack or attacks would have allowed the attack to upload basically what are file managers which then allow more control over your site than what is allowed via the admin features. These rogue file managers can then be used to further install more rogue code throughout normal site files such as the catalog/cookie_usage.php and catalog/includes/languages/english/cookie_usage.php and more.

The attack is stacked in this manner so that when the site owner tweaks to the fact that their site is being hacked and protects the admin directory, the attack is still able to continue via 'backdoor code' => rogue file managers and appended code to normal site files which allow attackers to continue in uploading more files and editing files that are writable on your site.

Rid your site of these files and code additions to your site files and the 'attacks' will cease.

[RMD27]

thank you for the information. do you have any suggestion for finding hacked pages. I am trying to use SiteMonitor but I think it has an issue working with XSS (bottom of this page) http://forums.oscommerce.com/topic/221438-sitemonitor/page__st__2000.

Are there alternatives?

I need to find the backdoor otherwise no matter what I do my efforts will be circumvented, got it, so I really need to find out the core issue, Im thinking timthumb could be an issue, what do you think?

If I make the thumbnails directory containg the timthumb.txt files 644 will that disable the backdoor? If timthumb is the issue?

[RMD27]

my host has come back to me and said it looks like the hacker is changing the dates on the files which is making them hard to find.

also he said he is having to go through the log files manually to identify the issue.

i have no idea if this is the best way to go about it. the problem we seem to have is that we dont know how far back we need to go to get a clean back up.

this is an absolute nightmare.

[RMD27]

Taipo, on 07 February 2012, 13:01, said:

The security hole in V2.2 RC2 allows attackers to access your admin directory, therefore at the very least the attack will allow for files to be uploaded into writable directories such as the images directory. So if for example you have added htaccess basic authentication protection to the admin directory, that will have prevented further file uploads, but it will not stop attackers from accessing files that are still currently on your server, for example php files in the images directory, and also code that could be inserted into other site files which allow attackers to then upload more files.

The files they typically upload are often called shell code, or in plain speak, filemanagers. These file manager files are just that, rogue files that act as your typical file manager which give attackers a lot of control over your site files. You have to clean your site out of these files and code additions before sending it live again.



This is what I am talking about above. The initial attack or attacks would have allowed the attack to upload basically what are file managers which then allow more control over your site than what is allowed via the admin features. These rogue file managers can then be used to further install more rogue code throughout normal site files such as the catalog/cookie_usage.php and catalog/includes/languages/english/cookie_usage.php and more.

The attack is stacked in this manner so that when the site owner tweaks to the fact that their site is being hacked and protects the admin directory, the attack is still able to continue via 'backdoor code' => rogue file managers and appended code to normal site files which allow attackers to continue in uploading more files and editing files that are writable on your site.

Rid your site of these files and code additions to your site files and the 'attacks' will cease.

these rogue file managers are in a new file? ie something seperate from oscommerce standard files? or will they be part of a file that already exists as part of the osc install?

[Taipo]

RMD27, on 07 February 2012, 14:00, said:

thank you for the information. do you have any suggestion for finding hacked pages. I am trying to use SiteMonitor but I think it has an issue working with XSS (bottom of this page) http://forums.oscommerce.com/topic/221438-sitemonitor/page__st__2000.

Are there alternatives?

Often the content of these rogue files have been marked by antivirus companies as malware so if you have a complete snapshot of your site you can let your local antivirus scan through and see what it finds. There is an addon as well that is a virus checker of sorts or though I have never used it.

If you have a backup copy of your site then that is the best place to start, or else you have two other options, one is to grind through every .php, .txt, .js and html file and look for added code or shell code, or in the instance where there is large scale file infection, start again sorry.

[Taipo]

RMD27, on 07 February 2012, 15:12, said:

these rogue file managers are in a new file? ie something seperate from oscommerce standard files? or will they be part of a file that already exists as part of the osc install?

The file manager type files are stand alone files that have been added to writable directories. They can have file extensions such as .txt, .html, .php etc.

If your site is using timthumb then I have to ask for a full description of the structure of your site. For example are you just using osCommerce or is it a mix of say osCommerce and Wordpress.

Timthumb has had a known security hole in it that allowed attackers to upload their own files and even upload files as images which contained executable code.

If you are using an addon in osCommerce that has timthumb then you need to see if the addon author has updated it to the latest version of timthumb which fixes most of those issues.

If you are using another content management system such as Wordpress alongside osCommerce, then you will need to go back to the Wordpress plugins feature and update to the latest timthumb plugin.

[geoffreywalton]

The add-on Virus Threat system will search for know hack strings as will Site Monitor, but not for so many.

http://addons.oscommerce.com/info/7279

There are also some tips on what to look for in my profile.

HTH

G

[RMD27]

thanks for the feedback

i installed tims threat scanner so im going through the results of that,

in admin/includes/confugre cache i have this, is the base64 okay?


$config_cache_output = base64_encode($config_cache_output);

$new_config_cache_output = '';
while (strlen($config_cache_output) > 0) {
$new_config_cache_output .= substr($config_cache_output, 0, 80) . "\n";
$config_cache_output = substr($config_cache_output, 80);
}
$config_cache_output = "<?php eval(gzinflate(base64_decode('\n$new_config_cache_output'))); ?>";

[RMD27]

Taipo, on 07 February 2012, 19:56, said:

The file manager type files are stand alone files that have been added to writable directories. They can have file extensions such as .txt, .html, .php etc.

If your site is using timthumb then I have to ask for a full description of the structure of your site. For example are you just using osCommerce or is it a mix of say osCommerce and Wordpress.

Timthumb has had a known security hole in it that allowed attackers to upload their own files and even upload files as images which contained executable code.

If you are using an addon in osCommerce that has timthumb then you need to see if the addon author has updated it to the latest version of timthumb which fixes most of those issues.

If you are using another content management system such as Wordpress alongside osCommerce, then you will need to go back to the Wordpress plugins feature and update to the latest timthumb plugin.

your right on the money here. i have wordpress installed in another directory, osc is in the root. both are using timthumb.

the more I see, the more I think its this

[RMD27]

geoffreywalton, on 07 February 2012, 23:50, said:

The add-on Virus Threat system will search for know hack strings as will Site Monitor, but not for so many.

http://addons.oscommerce.com/info/7279

There are also some tips on what to look for in my profile.

HTH

G

im like a headless chicken at the moment. im doing this threat scanner first cause its easy to install then ill move onto yours!

[RMD27]

ive got this at the top of mail/mailist/admin.edit.php

<?php if(!isset($_SESSION['admin'])){echo 'Hacking attempted'; return ;} ?>

is that line okay?

the more i look at this whole issue, the more clueless i realise I am

[RMD27]

RMD27, on 08 February 2012, 01:01, said:

ive got this at the top of mail/mailist/admin.edit.php

<?php if(!isset($_SESSION['admin'])){echo 'Hacking attempted'; return ;} ?>

is that line okay?

the more i look at this whole issue, the more clueless i realise I am

same thing at the top of sendmail.php

[RMD27]

this is what google has to say

What happened when Google visited this site?

[indent]Of the 17 pages we tested on the site over the past 90 days, 11 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-06.
Malicious software includes 17 exploit(s), 11 trojan(s), 6 scripting exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 2 domain(s), including svyaz73.1dumb.com/, tds73.1dumb.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including tds73.1dumb.com/.
This site was hosted on 1 network(s) including AS24940 (HETZNER).[/indent]