Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

I Have Figured How the Admin Accounts Are Being Hacked


Don W

Recommended Posts

I have a client that I have built a couple of WEB sites for, his wife bought her WEB site from someone in England using oscommerce. Early June her site got hacked. I went out and loaded the recommended fixes SiteMonitor, ocVTS. I removed file_manager.php and define_language.php.

 

** I did not change the name of my admin folder **

 

The site got hacked again over the 4th weekend. So I got serious in determining HOW these creeps are hacking the software. I started digging through the log files and wrote some software to analysis traffic and requests to the site. I found some interesting things on how the attack is successful, and how ANY oscommerce site is vulnerable to this type of attack. I went back to the logs on the original attack and found they used the same method.

 

I WILL NOT post the HOW they did it, but if someone wants to email me with what I found and how to fix it, I will send them an email on how to fix it.

 

-Don

Link to comment
Share on other sites

According to Java Roasters, this is the same hack method listed in

 

http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

My approach to fixing it is a little different. None of these fixes are listed under securing site post, and I didn't see it in any follow up responses in the thread when I was researching the problem.

Link to comment
Share on other sites

None of these fixes are listed under securing site post, and I didn't see it in any follow up responses in the thread when I was researching the problem.

 

I think it is covered, although it's easy to miss. Take a second look at this part of the "securing your site" thread:

 

SECURING THE ADMIN:

 

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

Check out Chad's News.

Link to comment
Share on other sites

I can guarantee you that I missed it, that is why I went through the server logs until I was able to determine the hack point, and subsequently found that the hack will work on any php file that depends upon application_top for validation. perhaps a second 'pinned' thread should be posted that addressing some of the more recent primary threats since the original is almost two years old.

 

In looking at the posts about repeated attacks and hacks, I am fairly sure that they fell victim via the same mechanism. Because without the patch to application_top.php, all sites are vulnerable and it is only a matter of time before some scrip kiddie finds the path to it.

Link to comment
Share on other sites

Don,

 

if you are certain you have found a hole and a patch for it, then you should post it in the above mentioned threads to update them. You don't need to describe HOW the hacker is getting in, only how to prevent such an attack.

 

 

Chris

Link to comment
Share on other sites

Ok Chris, here is my method for fixing it:

 

(It's really an ugly piece of code, and I appologize in advance) it is added to the very top of application_top.php

 

php5:

$check_hack = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

$sp1 = intval(stripos($check_hack,'.php',0);

$sp2 = intval(stripos($check_hack,'.php',$sp1+1));

if ($sp2 > 1) die('Go away script kiddie'); /* or you could just put in go to the login panel */

Link to comment
Share on other sites

I think today that I will write a small intrusion detection module that will look for a hack attempt, record the event, report the hack, and create a banned ip list. I want to know if someone is attempting to hack the site.

 

Eventually I may go as far as creating a list of php files, and verify the one being executed against a list of known/valid files/sizes. I'm thinking along the lines of preventing future potential unknown attacks. I think I will go look at PHPIDS as well and see what it offers before I expand upon what I'm going to do today.

Link to comment
Share on other sites

I think today that I will write a small intrusion detection module that will look for a hack attempt, record the event, report the hack, and create a banned ip list. I want to know if someone is attempting to hack the site.

A lot of functionality is already on the version on Githu (action recorder).

 

Eventually I may go as far as creating a list of php files, and verify the one being executed against a list of known/valid files/sizes. I'm thinking along the lines of preventing future potential unknown attacks. I think I will go look at PHPIDS as well and see what it offers before I expand upon what I'm going to do today.

As far as I know that is available as a contribution by Jack_mcs already (Site monitor).

Link to comment
Share on other sites

Is it recommended to apply both Don W's and Burt's changes to fix this vulnerability?

 

Use Burt's, it's the change that was made to the base code, and it is far cleaner than mine.

Link to comment
Share on other sites

Adding a password to the admin directory in cpanel, or in your .htaccess file is also not a bad idea. A little duplication yes, but it basically gives you two layers of security a hacker has to get through which is never a bad thing :thumbsup:

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...