Don W Posted July 7, 2010 Share Posted July 7, 2010 I have a client that I have built a couple of WEB sites for, his wife bought her WEB site from someone in England using oscommerce. Early June her site got hacked. I went out and loaded the recommended fixes SiteMonitor, ocVTS. I removed file_manager.php and define_language.php. ** I did not change the name of my admin folder ** The site got hacked again over the 4th weekend. So I got serious in determining HOW these creeps are hacking the software. I started digging through the log files and wrote some software to analysis traffic and requests to the site. I found some interesting things on how the attack is successful, and how ANY oscommerce site is vulnerable to this type of attack. I went back to the logs on the original attack and found they used the same method. I WILL NOT post the HOW they did it, but if someone wants to email me with what I found and how to fix it, I will send them an email on how to fix it. -Don Link to comment Share on other sites More sharing options...
chadcloman Posted July 8, 2010 Share Posted July 8, 2010 Is this a new hack that isn't already covered by the "how to secure your site" thread? Check out Chad's News. Link to comment Share on other sites More sharing options...
Don W Posted July 8, 2010 Author Share Posted July 8, 2010 According to Java Roasters, this is the same hack method listed in http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/ http://www.oscommerce.com/forums/index.php?showtopic=340995 My approach to fixing it is a little different. None of these fixes are listed under securing site post, and I didn't see it in any follow up responses in the thread when I was researching the problem. Link to comment Share on other sites More sharing options...
chadcloman Posted July 8, 2010 Share Posted July 8, 2010 None of these fixes are listed under securing site post, and I didn't see it in any follow up responses in the thread when I was researching the problem. I think it is covered, although it's easy to miss. Take a second look at this part of the "securing your site" thread: SECURING THE ADMIN: You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here. Check out Chad's News. Link to comment Share on other sites More sharing options...
Don W Posted July 8, 2010 Author Share Posted July 8, 2010 I can guarantee you that I missed it, that is why I went through the server logs until I was able to determine the hack point, and subsequently found that the hack will work on any php file that depends upon application_top for validation. perhaps a second 'pinned' thread should be posted that addressing some of the more recent primary threats since the original is almost two years old. In looking at the posts about repeated attacks and hacks, I am fairly sure that they fell victim via the same mechanism. Because without the patch to application_top.php, all sites are vulnerable and it is only a matter of time before some scrip kiddie finds the path to it. Link to comment Share on other sites More sharing options...
Guest Posted July 8, 2010 Share Posted July 8, 2010 Don, if you are certain you have found a hole and a patch for it, then you should post it in the above mentioned threads to update them. You don't need to describe HOW the hacker is getting in, only how to prevent such an attack. Chris Link to comment Share on other sites More sharing options...
Don W Posted July 8, 2010 Author Share Posted July 8, 2010 Ok Chris, here is my method for fixing it: (It's really an ugly piece of code, and I appologize in advance) it is added to the very top of application_top.php php5: $check_hack = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']); $sp1 = intval(stripos($check_hack,'.php',0); $sp2 = intval(stripos($check_hack,'.php',$sp1+1)); if ($sp2 > 1) die('Go away script kiddie'); /* or you could just put in go to the login panel */ Link to comment Share on other sites More sharing options...
Don W Posted July 8, 2010 Author Share Posted July 8, 2010 I think today that I will write a small intrusion detection module that will look for a hack attempt, record the event, report the hack, and create a banned ip list. I want to know if someone is attempting to hack the site. Eventually I may go as far as creating a list of php files, and verify the one being executed against a list of known/valid files/sizes. I'm thinking along the lines of preventing future potential unknown attacks. I think I will go look at PHPIDS as well and see what it offers before I expand upon what I'm going to do today. Link to comment Share on other sites More sharing options...
Jan Zonjee Posted July 8, 2010 Share Posted July 8, 2010 I think today that I will write a small intrusion detection module that will look for a hack attempt, record the event, report the hack, and create a banned ip list. I want to know if someone is attempting to hack the site. A lot of functionality is already on the version on Githu (action recorder). Eventually I may go as far as creating a list of php files, and verify the one being executed against a list of known/valid files/sizes. I'm thinking along the lines of preventing future potential unknown attacks. I think I will go look at PHPIDS as well and see what it offers before I expand upon what I'm going to do today. As far as I know that is available as a contribution by Jack_mcs already (Site monitor). Link to comment Share on other sites More sharing options...
burt Posted July 8, 2010 Share Posted July 8, 2010 This commit should fix that vulnerability; http://github.com/gburton/oscommerce2/commit/f87affd8b03c8a19bf7b6d98b314cb81c5c016cd Link to comment Share on other sites More sharing options...
WebDev22 Posted July 8, 2010 Share Posted July 8, 2010 This commit should fix that vulnerability; http://github.com/gburton/oscommerce2/commit/f87affd8b03c8a19bf7b6d98b314cb81c5c016cd Is it recommended to apply both Don W's and Burt's changes to fix this vulnerability? Link to comment Share on other sites More sharing options...
chadcloman Posted July 8, 2010 Share Posted July 8, 2010 A fully-featured fix for this $PHP_SELF problem is in this post. Check out Chad's News. Link to comment Share on other sites More sharing options...
Don W Posted July 8, 2010 Author Share Posted July 8, 2010 Is it recommended to apply both Don W's and Burt's changes to fix this vulnerability? Use Burt's, it's the change that was made to the base code, and it is far cleaner than mine. Link to comment Share on other sites More sharing options...
homewetbar Posted July 9, 2010 Share Posted July 9, 2010 Adding a password to the admin directory in cpanel, or in your .htaccess file is also not a bad idea. A little duplication yes, but it basically gives you two layers of security a hacker has to get through which is never a bad thing :thumbsup: Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.