rednme Posted September 19, 2009 Share Posted September 19, 2009 i don't know how the hacker got into the site, but when I was going thru the site, I found some files in cgi-bin/ folder. I downloaded and tried to open them, but all were binary files, I just immediately deleted them all, cause they are not my files for sure. file names : entropybanner.cgi randhtml.cgi cgiecho cgiemail if anyone knows these files, please let us know. then I changed the cgi-bin/ folder to 555 permission level. Link to comment Share on other sites More sharing options...
lindsayanng Posted September 19, 2009 Share Posted September 19, 2009 If you are unsure as to how they got into your website, you should take a close look at your security. Do you have the filemanager on your website still? If so, delete that.. rename the admin folder and follow the instructions on the linked pages.. Make your site as safe as you can instead of constantly cleaning it up A great place for newbies to start Road Map to oscommerce File Structure DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways! HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you Proud Memeber of the CODE BREAKERS CLUB!! Link to comment Share on other sites More sharing options...
Xpajun Posted September 19, 2009 Share Posted September 19, 2009 i don't know how the hacker got into the site, but when I was going thru the site, I found some files in cgi-bin/ folder. I downloaded and tried to open them, but all were binary files, I just immediately deleted them all, cause they are not my files for sure. file names : entropybanner.cgi randhtml.cgi cgiecho cgiemail if anyone knows these files, please let us know. then I changed the cgi-bin/ folder to 555 permission level. Random Banners Entropy Banner is a banner management system which allows you to include randomly "rotating" clickable images in your web pages. This is particularly useful for "rotating" banner adverts. Each time a visitor views a page containing the Entropy Banner code, a banner will be selected at random from the banners you have uploaded to the system. Each banner is associated with its own linking code which will take visitors to the appropriate site when the banner is clicked. Banners can also be assigned a priority level (low, medium or high). For example, a banner of priority "high" will tend to appear more frequently than one of priority "low". Random HTML The Random HTML generator can be used to pick a text (or HTML) string out of a list of possibilities and insert it into an SSI enabled (.shtml) web page. This is useful for including random text or HTML code in pages so as to produce varied quotes, images or just about anything else. CGI email CGI Email takes the input of an HTML form and converts it to an email format defined by the author of the form. CGI echo CGIecho accepts form data, cleans it, and echos it. Very often used in conjunction with cgiemail These are all scripts provided by your host for your use on your website... If you are not sure what a file does GOOGLE it - saves you dumping files that might be playing a part in running your website! My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
♥kymation Posted September 19, 2009 Share Posted September 19, 2009 Brady is right: admin/define_language.php can be used to inject arbitrary code into the language files. If you want advance notice of a vulnerability, then here it is. Delete this file before you find out the hard way. Deleting these files can only limit the damage. They are only dangerous if someone can get into your store admin. Your first line of defense should be proper access control on your Admin. That means: 1. Disable directory view on your root directory. 2. Rename your Admin folder. Make it something hard to guess. 3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it. 4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Xpajun Posted September 20, 2009 Share Posted September 20, 2009 Hmmmmmm........... seems I was targeted too - very recently at that as well but I can't be sure if it was before or after I removed file_manager and define_language or maybe in between. However I did notice that in the decode the following file were being looked for: public_html/store/admin/fckeditor/editor/filemanager/browser/default/images/icons. I think I have a definite reason now to remove fckeditor and editor. (anyone like to comment on this?) My images and icons were replaced because they were included in my clean back-up My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
cranberry Posted September 20, 2009 Share Posted September 20, 2009 Also hacked -- attempting to remedy this, however whenever I remove the code header from the top of the page my site no longer works. For example, I removed the header from my index.php and it no longer loaded. What is the problem way to fix this? :blink: Link to comment Share on other sites More sharing options...
cranberry Posted September 20, 2009 Share Posted September 20, 2009 Managed to sort it out by myself -- used the base64 decoder to find the style.css.php files -- turned out the were in a zend folder that was part of an archived old site that I haven't used for around 5 years that was laying around the server. Deleted that, used the shell script to clean all the files. Good as new. Thanks for all the good replies. Just posting those helpful links again since they're scattered throughout multiple pages: base64 decoder (find where the files are); http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ shell script cleanup; http://www.jerryrose.org/osc-cleanup.sh Link to comment Share on other sites More sharing options...
mielag Posted September 20, 2009 Share Posted September 20, 2009 Looks like this club is getting bigger each day - me too - hacked on the 4/9... after reading this thread - thanks to all for great help - i manage to locate and delete all the bugs from - admin/includes/javascript/tiny_mce/themes/advanced/docs/en/images/style.css.php Now (sorry but i`m not very tech) i`m not sure what should I do with Eval Base64 Decode line in each php file. I have started to removing this from my test site but it looks like it is hooked up deeper as i got errors like the one below when i was trying to enter product page: Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/ttoefrzd/public_html/test/product_info.php on line 175 The biggest problem is that copy of my store is on the same server as the main store and they both were infected (as a matter of fact it was the test store that was holding the bugs). This means that i cant compare this two and bring it back to what was it before. is there any chance someone could give me some advice on this please... what's worse i think that this significantly affected my SEO as from that date number of people visiting my site shrank by almost 40% .... Thank you for your help Link to comment Share on other sites More sharing options...
mielag Posted September 20, 2009 Share Posted September 20, 2009 Managed to sort it out by myself -- used the base64 decoder to find the style.css.php files -- turned out the were in a zend folder that was part of an archived old site that I haven't used for around 5 years that was laying around the server. Deleted that, used the shell script to clean all the files. Good as new. Thanks for all the good replies. Just posting those helpful links again since they're scattered throughout multiple pages: base64 decoder (find where the files are); http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ shell script cleanup; http://www.jerryrose.org/osc-cleanup.sh Hi Chris, sorry for being total layman but how exactly you get the script running? Link to comment Share on other sites More sharing options...
Weedwaka Posted September 21, 2009 Author Share Posted September 21, 2009 What does the shell script do ? Is there more hacker code besides what is in the top paragraph of each php file ? I deleted all the stand alone files and all the code in the top of the php files. I am still struggling to get mine back up and running again properly. Link to comment Share on other sites More sharing options...
spooks Posted September 21, 2009 Share Posted September 21, 2009 have u read Reiner's posts? Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
mielag Posted September 21, 2009 Share Posted September 21, 2009 Hi Guys, I cannot change my permission on configure.php - it keeps coming back to 644 - any idea where may be the problem??? Thanks Link to comment Share on other sites More sharing options...
mielag Posted September 21, 2009 Share Posted September 21, 2009 Hi Guys, I cannot change my permission on configure.php - it keeps coming back to 644 - any idea where may be the problem??? Thanks it worked through cpanel... Link to comment Share on other sites More sharing options...
oschellas Posted September 22, 2009 Share Posted September 22, 2009 Try this, create a file chmod.php and add the following code: <?php chmod('includes/configure.php', 0444); ?> Upload the file to your catalog / admin and call it with your browser. Afterwards you can delete the file(s) from the server. Link to comment Share on other sites More sharing options...
mielag Posted September 22, 2009 Share Posted September 22, 2009 Can someone please give me some directions how to run osc-cleanup.sh script? I`m trying to find some other posts about this but no luck so far and i`m loosing my hopes.... :( Thanks Link to comment Share on other sites More sharing options...
Guest Posted September 23, 2009 Share Posted September 23, 2009 Since we are talking about Hacks. Please assist in the problem below. "Our customers and us only use English Language. Today we noticed our site has changed automatically to Spanish Languages and some of our categories which don't have any spanish names don't show up. We never really put any spanish names in we simply would fill the same english name for spanish. The ones we did are showing up, rest categories don't show. Did we get hacked? I see all products and orders so it seems we are ok but our language is changed. We checked admin and the language is set to English and also set as default. Did someone try to language hack? " Please help Link to comment Share on other sites More sharing options...
bradybarrows Posted September 23, 2009 Share Posted September 23, 2009 Brady is right: admin/define_language.php can be used to inject arbitrary code into the language files. If you want advance notice of a vulnerability, then here it is. Delete this file before you find out the hard way. Deleting these files can only limit the damage. They are only dangerous if someone can get into your store admin. Your first line of defense should be proper access control on your Admin. That means: 1. Disable directory view on your root directory. 2. Rename your Admin folder. Make it something hard to guess. 3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it. 4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password. Regards Jim thanks Jim. I just read this today and deleted define_language.php just now. It only made sense to me. Link to comment Share on other sites More sharing options...
bradybarrows Posted September 23, 2009 Share Posted September 23, 2009 Also hacked -- attempting to remedy this, however whenever I remove the code header from the top of the page my site no longer works. For example, I removed the header from my index.php and it no longer loaded. What is the problem way to fix this? :blink: the simple way to fix this is to use a clean copy of index.php and upload it over writing the hacked file. Then everything works fine. You have to do this to every file that is corrupted. The files like the configure.php files and certain ones you changed you will need to be careful to remember which ones so you can clean up that file individually. The problem is that the file is corrupted and you really need a clean file to start with. Link to comment Share on other sites More sharing options...
bradybarrows Posted September 23, 2009 Share Posted September 23, 2009 I thought it was in this thread that I read that the hacker probably looked for the 'This site is powered by osCommerce' to find sites to hack. Where did I read this and the suggestion to remove this from your site? Does anyone remember the thread? Link to comment Share on other sites More sharing options...
Weedwaka Posted September 23, 2009 Author Share Posted September 23, 2009 When cleaning the code from the top of the pages, make sure you remove all white space and blank lines. This was my problem. Link to comment Share on other sites More sharing options...
Weedwaka Posted September 23, 2009 Author Share Posted September 23, 2009 Now that my site is all back up and running, I am trying to secure it better. I deleted file manager etc. How do I disable the root directory as quoted above ? How involved is it to rename the admin folder ? Link to comment Share on other sites More sharing options...
spooks Posted September 23, 2009 Share Posted September 23, 2009 How involved is it to rename the admin folder ? http://www.oscommerce.com/forums/index.php?sho...ic=340995" Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted September 23, 2009 Share Posted September 23, 2009 How do I disable the root directory add: Options All -Indexes to your htaccess Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
bradybarrows Posted September 23, 2009 Share Posted September 23, 2009 Your first line of defense should be proper access control on your Admin. That means:1. Disable directory view on your root directory. 2. Rename your Admin folder. Make it something hard to guess. 3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it. 4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password. Regards Jim Jim, Moving the admin folder to a subdomain and naming the subdomain something like www.8eMXDAryK8DDVZll.my_domain.com seems like a great idea but obviously this really would effect the cart. What files would need to be changed? Obviously most of the files needing the changes so that this would work is in the back end but what files in the front end would need to be changed? Could you give a step by step list of what to do? Maybe this should be in a completely different thread or is it ok to put it in this thread? Link to comment Share on other sites More sharing options...
♥kymation Posted September 23, 2009 Share Posted September 23, 2009 For stock osCommerce, the only thing you need to change is admin/includes/configure.php. There's a guide to moving the Admin on here somewhere; I think it was linked earlier in this thread. Basically, you just need to change all of the admin paths in that file to your new paths. If you have added code that doesn't use the standard configure.php you will need to make ther changes to that code as well. This won't be necessary for well-written addons, but some of the ones available here are not. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.