site gets the all clear from these guys
sucuri.net
Latest News: (loading..)
0
26 replies to this topic
#22
Posted 08 February 2012, 01:47
is this anything to worry about? in product_thumb
base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
#24
Posted 08 February 2012, 02:54
RMD27, on 08 February 2012, 01:47, said:
is this anything to worry about? in product_thumb
base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
This is the type of thing that can be uploaded via what I explained earlier. First port of call for you is to patch all that faulty code or else this stuff will be back as soon as you get rid of it. I assume you have taken your site offline. You basically have two conceptual security issues, one with the osCommerce code which you have sorted by blocking access to the admin directory, two, patch the Wordpress plugins or remove the plugins if there are no upgrades for them.
Then you need to troll through all your files and look for those types of additions that you posted above. Once you become familiar with them then you will find them easier to spot. There are people who are regulars in these forums who also do cleanups for a fee if you feel you are out of your depths on that issue.
The main thing is not to send the site live without patching that insecure code and certainly not sending your site live again with that sort of backdoor code embedded in files.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
#25
Posted 08 February 2012, 02:56
In saying that, some files do contain base64_decode lines like that, but the flaw in timthumbs which is more a wordpress issue than osCommerce, allowed attackers to embed malware code in image exif data, especially for example in jpgs, gifs and png files. That is not to say that every reference to base64_ in those files is malicious.
But that is the affects of the security issues that were discovered in timthumbs.
But that is the affects of the security issues that were discovered in timthumbs.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
#26
Posted 08 February 2012, 03:33
geoffreywalton, on 07 February 2012, 23:50, said:
The add-on Virus Threat system will search for know hack strings as will Site Monitor, but not for so many.
http://addons.oscommerce.com/info/7279
There are also some tips on what to look for in my profile.
HTH
G
http://addons.oscommerce.com/info/7279
There are also some tips on what to look for in my profile.
HTH
G
ok I used AVS and I get a ton of messages related to contributions
spaw
fckeditor
lightbox
mailist
are the ones that stand out
I suppose I have to check these files against the file that came with the contribution to know if things are okay or not?
it says none are infected though
#27
Posted 08 February 2012, 04:32
Taipo, on 08 February 2012, 02:54, said:
This is the type of thing that can be uploaded via what I explained earlier. First port of call for you is to patch all that faulty code or else this stuff will be back as soon as you get rid of it. I assume you have taken your site offline. You basically have two conceptual security issues, one with the osCommerce code which you have sorted by blocking access to the admin directory, two, patch the Wordpress plugins or remove the plugins if there are no upgrades for them.
Then you need to troll through all your files and look for those types of additions that you posted above. Once you become familiar with them then you will find them easier to spot. There are people who are regulars in these forums who also do cleanups for a fee if you feel you are out of your depths on that issue.
The main thing is not to send the site live without patching that insecure code and certainly not sending your site live again with that sort of backdoor code embedded in files.
Then you need to troll through all your files and look for those types of additions that you posted above. Once you become familiar with them then you will find them easier to spot. There are people who are regulars in these forums who also do cleanups for a fee if you feel you are out of your depths on that issue.
The main thing is not to send the site live without patching that insecure code and certainly not sending your site live again with that sort of backdoor code embedded in files.
my hosting company have no end of patience. they found the corrupted files and deleted all the code, I deleted the infected folders I could live without and also updated osc & wordpress.
it never occured to me that wordpress could infect oscommerce and vice versa. extremely naive i know
im learning everyday. today's lesson, everything needs extra security!
