Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacker attacks


dandelion

Recommended Posts

I have been hacked as well, and I always trace it back to some directory that had web write permission.

Once they find it (and carts usually keep the images folder writeable and I bet the hackers know it), they can upload scripts that change permissions on other directories and the fun begins. I know this because they changed about 20 of mine and inserted their php scripts and htaccess files.

 

What I am looking to do is to chmod my images directory during upload, then change it back one the image is there.

I'm guessing this has to be done with the downloads directory as well.

 

Any other ideas?

 

cooch

Link to comment
Share on other sites

  • Replies 55
  • Created
  • Last Reply

1. Even if the server uses cPanel or Plesk then the need to have folders with 777 permissions is just down to sloppy server admin. They could run an ssh command at root to enable sites on the server to use 755 as the default for folders.

 

2. cPanel in particular has no jailed root for websites, so if one site gets hacked it can be spread to other sites on the same server.

 

3 In addition, cPanel itself gets exploited several times a year - in part because it's the most widely used.

 

4. If you have free forum or cms programmes on the same domain as your osCommerce website then put them somewhere else! Joomla/Mambo get hacked so often it's not even a joke any more. And phpBB is so popular that hackers are always looking to exploit it.

 

In short - if your host requires that you use permissions of 777 the answer is simple - MOVE!

 

Vger

Link to comment
Share on other sites

I just added some very simple ftp commands to the categories.php page that chmods the images directory to 777, then back to 555 after uploading. Simple and secure, but not a substitute for a proper server setup.

 

cooch

Link to comment
Share on other sites

all of these hacks were certainly due to permissions?

 

are you sure you don't have a vulnerable contribution installed? there was a really popular one a few months ago.. one of those rich text editor things.

Link to comment
Share on other sites

I don't have any rich text contribution in my store, but if you specifically know of any that might be vulnerable, I'd appreciate knowing.

Every discussion I've had with security people involves writeable directories, so that's where I started.

Link to comment
Share on other sites

Another site was hacked this week... it was a php file in the root directory and looks like the index file may have been changed too (by date in ftp) but I couldn't see anything changed. :(

Link to comment
Share on other sites

1. Even if the server uses cPanel or Plesk then the need to have folders with 777 permissions is just down to sloppy server admin. They could run an ssh command at root to enable sites on the server to use 755 as the default for folders.

 

2. cPanel in particular has no jailed root for websites, so if one site gets hacked it can be spread to other sites on the same server.

 

3 In addition, cPanel itself gets exploited several times a year - in part because it's the most widely used.

 

4. If you have free forum or cms programmes on the same domain as your osCommerce website then put them somewhere else! Joomla/Mambo get hacked so often it's not even a joke any more. And phpBB is so popular that hackers are always looking to exploit it.

 

In short - if your host requires that you use permissions of 777 the answer is simple - MOVE!

 

Vger

Isn't it osCommerce that requires our image folders be set to 777? The hackers have uploaded to these three directories and my root directory

 

3. Set the permissions on catalog/images directory to 777

4. Set the permissions on admin/images/graphs directory to 777

5. Create the directory admin/backups and set the permissions to 777 (this is the folder to store the database backup of your store in the "Tools" section of the store admin).

Link to comment
Share on other sites

Another site was hacked this week... it was a php file in the root directory and looks like the index file may have been changed too (by date in ftp) but I couldn't see anything changed. :(

 

Could be they just changed the permissions to make it a writeable file, and they plan to come back later and add some hidden text...

 

My advice is to lock down every file and directory with 755 permissions minimum.

Link to comment
Share on other sites

Isn't it osCommerce that requires our image folders be set to 777? The hackers have uploaded to these three directories and my root directory

 

3. Set the permissions on catalog/images directory to 777

4. Set the permissions on admin/images/graphs directory to 777

5. Create the directory admin/backups and set the permissions to 777 (this is the folder to store the database backup of your store in the "Tools" section of the store admin).

 

 

Yes; the cart does require these permissions to make it so you can upload images.

This is bad practice, and I have been caught in it twice, which is 2 times too many.

Link to comment
Share on other sites

Yes; the cart does require these permissions to make it so you can upload images.

This is bad practice, and I have been caught in it twice, which is 2 times too many.

so if osCommerce requires it what can we do about it... I have to leave it writeable or my clients can't upload images

Link to comment
Share on other sites

I have to leave it writeable or my clients can't upload images

You can get around this.

 

If they can upload the images via FTP or some other means, you can install a contribution called oscFileBrowser

 

After you install that, when in the Admin adding or changing products and an image is required, a window will pop up and you just choose the image from the images folder rather than uploading from a PC.

 

If you have ANY folder set to 777 permissions that's directly accessible from a browser (not requiring a password).it's not a question of IF you will get hacked, it's only a question of WHEN...

:blush:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

browsing throuph my files i found on the image folder a file named error.php which is apparently some hacking attempt by someone named SiKodoQ saying its a defacer and not a hack!! Apparentely the file haw been there for a while and no damage was done until today when my admin shows fuunny things and the site does not work .

 

could the damage be done by a hack?????

 

PS I get this message among others in the admin

 

Warning: include() [function.include]: Failed opening 'includes/languages/english/' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/www/vhosts/marketink.gr/httpdocs/admin/includes/application_top.php on line 135

Link to comment
Share on other sites

Sorry for the double posting but this is tottally another thing!! Come to thing of it I have a tmp folder on my site and when i make it 755 I get a red report on the top of the site site saying that tmp directory is not writeable and seesiiona wont work is THAT a hack???

 

Sorry this pst confused me

 

Just found another folder was added May 21 to the root named tmp with some numbers. The same site is a constant target. Some of my other sites have been targeted but then left alone when I clean them up.

 

Found the answer http://www.oscommerce.com/forums/index.php?showtopic=181312

 

So I guess its better to store sessions on the database than leave a tmp folder 777

Link to comment
Share on other sites

browsing throuph my files i found on the image folder a file named error.php which is apparently some hacking attempt by someone named SiKodoQ saying its a defacer and not a hack!! Apparentely the file haw been there for a while and no damage was done until today when my admin shows fuunny things and the site does not work .

 

could the damage be done by a hack?????

 

PS I get this message among others in the admin

 

Warning: include() [function.include]: Failed opening 'includes/languages/english/' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/www/vhosts/marketink.gr/httpdocs/admin/includes/application_top.php on line 135

 

 

1) You better check the includes/languages/english directory for mischief.

2) If someone got into the image directory at all, you can bet they will be back...lock it down!

Link to comment
Share on other sites

so if osCommerce requires it what can we do about it... I have to leave it writeable or my clients can't upload images

 

 

If you are willing to edit a few files, here is what I do: I use ftp to make the directory I want to upload into writeable, then I use ftp again to change the permissions back to lock them down. The process is transparent to the user, and (as far as I can tell) it is safe.

 

Before you start:

1) I highly recommend that you make sure no store directory, including the store root directory, has world-writeable permission. They should be 755 or more restrictive. Ask your host for help if you don't know how to do this.

 

2) Make a backup copy of any file you edit.

 

 

 

To handle uploading product images to the images directory:

 

1) Place this in the admin/categories.php file right after the opening <?.

Read each line, and make the changes listed throughout the code to match your site:

 

//************start chmod directory using ftp**************

 

 

$curdir="/www";

/*

This is the ftp connection directory; change www to whatever your root directory is called, or

whatever directory your ftp connects to when you enter your ftp credentials.

examples: "/htdocs", "/public_html", "/public", etc

*/

 

 

 

$ftp_ip="put ftp hostname here";

//example: $ftp_ip="mydomain.com";

 

$ftp_login="put ftp username here";

//example: $ftp_login="bob123";

 

$ftp_pass="put ftp password here"

//example: $ftp_pass="fuzzydice2";

 

 

$conn_id=ftp_connect($ftp_ip);

$login_result=@ftp_login($conn_id, $ftp_login, $ftp_pass);

 

 

 

$ftp_file1="$curdir/store/images";

//change the above path (/store/images) to the path to whatever directory you want to change

 

 

 

$chmod_cmd="CHMOD 0777 ".$ftp_file1;

$chmod=ftp_site($conn_id, $chmod_cmd);

 

 

//************end chmod directory using ftp**************

 

 

 

2) Place this in the admin/categories.php file right before the closing ?>.

Read each line, and make the changes listed throughout the code to match your site:

 

 

//************start chmod directory using ftp**************

 

$ftp_file1="$curdir/store/images";

//change the above path (/store/images) to the path to whatever directory you want to change as you did above

 

 

$chmod_cmd="CHMOD 0555 ".$ftp_file1;

$chmod=ftp_site($conn_id, $chmod_cmd);

 

 

 

ftp_quit($conn_id);

 

//************end chmod directory using ftp**************

 

 

The easiest way to find out if this is working is to set your images directory to be not world-writeable (755), then open any product to edit it. If the red warning bar saying that the "images directory is not writeable" does not appear, it is working. Upload a test product with an image to make sure, then check the images directory permissions again to make sure they are back to 755.

 

This could probably be made into a contribution by someone clever.

 

Hope it works for you.

Link to comment
Share on other sites

oscommerce does not require any directory at 777! if you think it does, it's a host-specific and/or server issue. (i would move, if any host suggested i have any directory at 777. a host should know better.)

 

i am on 2.2 ms2 (with security patches) and my shop works fine at 755 for uploading images.

 

 

dandelion, off-hand i can't remember any specific contributions, but it seems any time a vulnerability is noticed and exploited it's one of the bigger and popular ones.

one i use that had a hole a while back was supertracker. other than that i am drawing a blank, sorry.

Link to comment
Share on other sites

  • 2 months later...
oscommerce does not require any directory at 777! if you think it does, it's a host-specific and/or server issue. (i would move, if any host suggested i have any directory at 777. a host should know better.)

 

i am on 2.2 ms2 (with security patches) and my shop works fine at 755 for uploading images.

 

 

dandelion, off-hand i can't remember any specific contributions, but it seems any time a vulnerability is noticed and exploited it's one of the bigger and popular ones.

one i use that had a hole a while back was supertracker. other than that i am drawing a blank, sorry.

 

 

Hello.

Can you please explain better which are the security patches you said ?

Thanks

Link to comment
Share on other sites

I just came back from vacation to find that two of my sites where hacked while I was away. Then this morning two more clients reported they were hacked again. One site has an index.html site that I had set to 444 yet it had hidden text and get this in the admin the store name was changed to include the same text as the hidden text. The other site reported that when visiting the site a popup comes up telling them to download an antivirus/spyware software, and when they click to cancel their computer shuts down.

 

HELP ME!

Link to comment
Share on other sites

I just came back from vacation to find that two of my sites where hacked while I was away. Then this morning two more clients reported they were hacked again. One site has an index.html site that I had set to 444 yet it had hidden text and get this in the admin the store name was changed to include the same text as the hidden text. The other site reported that when visiting the site a popup comes up telling them to download an antivirus/spyware software, and when they click to cancel their computer shuts down.

 

HELP ME!

 

Are all your clients on the same host? Its possible the host has a vulnerability and its not your code. Your host might be able to tell you how they changed the file.

Link to comment
Share on other sites

  • 4 weeks later...

Be careful here folks...

 

I have had this problem since April and did all of the security upgrades. Also closed directories, changed passwords and constantly monitor with site monitor..

 

We thought we had all of the files cleared up, but with my Google Webmaster Tools (If you are not using it you should be) I have been cleaning up all of the problems.

 

With the help of a Google employee we have determined that there is a very special hack (special to me, since I have not been able to find anyone here reporting it) that was only showing up for the Google Bots/Robots. When you view the source as it is you do not see any content, links or porno.. The hidden code is very simple and hard to find and blends in with your OS files...

 

So when Google hits it with a bot it loads it and then you are royally screwed....

 

Also in Google Tools there is a Google Alerts that will send you emails if something on your site changes or has questionable content.

 

If you think you are all cleaned up, be aware you might not be and the hidden files are still ruining your google listings and rankings.

 

Install IGoogle and Webmaster Tools which gives you a daily view of your web site and tells you all of the errors, META problems, links in and out, Sitemap problems and behind the scenes of your web site as Google sees it. Plus rankings and keyword data.

 

David

Link to comment
Share on other sites

could you provide a little bit more information on what this code looks like, how we might detect it if it's on our websites, and what it's doing? what is it that google is seeing on your site? maybe you're not seeing any discussion on it here because no one else realizes that they have been 'infected' with this stuff. thanks!

Link to comment
Share on other sites

Yes, we are working on resolving the problem and figuring it out. I'm not a programmer, but I have one that is working on the problem. Once he figures it out I will update the post.

 

I'm fed up with hackers and have lost tons of business and money over this... So I will for sure update to hopefully help other people.

 

David

 

I forgot, look at my home page (link below) and view the source... See any porno links or problems? Nope... But when Googlebot sees it, it is there.

 

 

 

could you provide a little bit more information on what this code looks like, how we might detect it if it's on our websites, and what it's doing? what is it that google is seeing on your site? maybe you're not seeing any discussion on it here because no one else realizes that they have been 'infected' with this stuff. thanks!
Link to comment
Share on other sites

I forgot, look at my home page (link below) and view the source... See any porno links or problems? Nope... But when Googlebot sees it, it is there.

One way for them to accomplish that is to insert text the same color as the background.

 

I'm sure there are other methods.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have not heard of being able to change the font color in the source code. The font color change is pretty old school, but still being used today.

 

This is a hard coded problem using the .php script which we thought was cleared off of the server. Only the Bots see it and that is where they really got you.

 

The person that did this is pretty slick and I have to say smart... No credit here to their exploits, what goes around will eventually come around.

 

Also, I'm not a .php programmer and I'm still waiting for an update from a professional.

David

 

 

One way for them to accomplish that is to insert text the same color as the background.

 

I'm sure there are other methods.

Link to comment
Share on other sites

Ok so basically one tiny snipet of code which was pushed of the normal viewing when you viewed

the source which controlled who views the bad content or not. Unless you really check the site and

or compare your original file to a file currently on the server you would probably not pay attention to it.

 

So the bots get the bad links and the normal viewer does not see anything.

 

This is what you see as a regular viewer..

 

<BR><!-- header_eof //-->

 

<u style="display:none;"></u>

 

The bot sees this

 

<u style="display:none;"><a href="http:// chea-------- .hi5. com/

friend/profile/displayJournalDetail.do?

ownerId=--------&journalId=77703786" title="soma levitra">soma

levitra</a>, <a href="http://www. -----------.com/invisiblefence/

page.php?-stories.html" title="------">------------</a>,

 

 

...

..

</u>

 

So, I gather I'm not the only one this is happening to, so others should check for this hack. In fact, I found other posts after this by searching the small code. Originally I could not find any info.. So Sorry this is being rehashed again and it probably does not hurt to let people searching know the problem is there if they are hacked.

 

David

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...