Jump to content

Archived

This topic is now archived and is closed to further replies.

WebDev22

Hacked again despite numerous security measures

Recommended Posts

One of our sites was hacked yet again. It happened today. We removed the malware and submitted to have that nasty message removed from Google.

 

Despite all our security measures (admin folder changed, File Manager removed, installed SiteMonitor, etc.), we are still vulnerable and are spending way too much valuable time on securing the site. As is part of the process when something like this happens, I notified HostGator, who was very helpful in quickly removing the malware. They don't know what caused it but they've enabled extended logging for the account, so if it happens again, they should have a clearer picture of what happened.

 

The tech added this, "There are numerous vulnerabilities for the version of oscommerce that you're using, and the developers haven't released an update in years. I strongly recommend considering migrating to a different shopping cart tool... I recommend upgrading to a shopping cart that is still supported by the creators."

 

At this point, we are seriously considering other options. I bet the hackers read these threads and are loving it.

Share this post


Link to post
Share on other sites

Brett.

 

It is obvious that you failed to remove ALL of the malware as the hacker has gained access to your site again. My suggestion: Delete the site and start from scratch OR upload a KNOWN CLEAN back up of your site and ensure you have ALL the security patches installed and the appropriate security contributions installed.

 

This is the ONLY way to ensure the hacker has not hidden a back door.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Do you have security measures in place?

 

I hear FWR Security Pro add-on is very good. Here is the link to it: http://addons.oscommerce.com/info/5752

 

 

I personally use this in my htaccess to block many of the hack attempts:

 

########## Begin - Rewrite rules to block out some common exploits

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

########## start block

Share this post


Link to post
Share on other sites

Brett.

 

It is obvious that you failed to remove ALL of the malware as the hacker has gained access to your site again. My suggestion: Delete the site and start from scratch OR upload a KNOWN CLEAN back up of your site and ensure you have ALL the security patches installed and the appropriate security contributions installed.

 

This is the ONLY way to ensure the hacker has not hidden a back door.

 

 

Chris

This last happened in October 2009. We applied so many security measures too. Plus the nature of the hack was totally different. I suppose it's possible that it could be the same hacker. If we're going to need to undergo that much of an exhaustive overhaul to the site, I'll likely be recommending other solutions and moving on. We also manage a few Yahoo Stores and never have these issues.

Share this post


Link to post
Share on other sites

Do you have security measures in place?

 

I hear FWR Security Pro add-on is very good. Here is the link to it: http://addons.oscommerce.com/info/5752

 

 

I personally use this in my htaccess to block many of the hack attempts:

 

########## Begin - Rewrite rules to block out some common exploits

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

########## start block

There are so many discussions regarding security requirements that it will take some surfing the forums to gather up a plan of action. Off the top of my head, here's what we did in October 09:

 

1. Installed SiteMonitor.

2. Changed name of admin folder.

3. Removed link to File Manager in Admin.

4. Created very strong passwords for Admin, FTP and cPanel. We only communicate passwords verbally or via text.

 

There were some other things too.

Share this post


Link to post
Share on other sites

Do you have security measures in place?

 

I hear FWR Security Pro add-on is very good. Here is the link to it: http://addons.oscommerce.com/info/5752

 

 

I personally use this in my htaccess to block many of the hack attempts:

 

########## Begin - Rewrite rules to block out some common exploits

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

########## start block

Debs - Would you add this to the top of the htaccess file?

Share this post


Link to post
Share on other sites

There are so many discussions regarding security requirements that it will take some surfing the forums to gather up a plan of action. Off the top of my head, here's what we did in October 09:

 

1. Installed SiteMonitor.

2. Changed name of admin folder.

3. Removed link to File Manager in Admin.

4. Created very strong passwords for Admin, FTP and cPanel. We only communicate passwords verbally or via text.

 

There were some other things too.

Removing the link to the file manager does no good at all.

 

You have to remove the file itself.

 

Just an observation - for what it's worth.

:)


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Removing the link to the file manager does no good at all.

 

You have to remove the file itself.

 

Just an observation - for what it's worth.

:)

We might have. Can you give the location and name of the file and I'll check? Thanks.

Share this post


Link to post
Share on other sites

/admin/file_manager.php

 

/admin/define_language.php

 

Both are a security risk.

 

Some other info here

 

If you're on UNIX server protect the admin with a .htaccess file (if you haven't) as well as the osC login page..


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

/admin/file_manager.php

 

/admin/define_language.php

 

Both are a security risk.

 

Some other info here

 

If you're on UNIX server protect the admin with a .htaccess file (if you haven't) as well as the osC login page..

The file_manager.php file was removed last October, but define_language.php is still there. I'm removing the latter file now. Does anyone remember where to go to remove it from the admin menu?

Share this post


Link to post
Share on other sites

The tech added this, "There are numerous vulnerabilities for the version of oscommerce that you're using, and the developers haven't released an update in years. I strongly recommend considering migrating to a different shopping cart tool... I recommend upgrading to a shopping cart that is still supported by the creators."

Well.... if you follow this forum and faithfully apply security fixes, osC should be fairly secure. The problem is, I have to agree that "[osC] haven't released an update in years." Technically, that's true. 2.2 RC2a is 2-1/2 years old. I keep hearing promises that RC3 will be "any day now", but I have have reservations about it. According to github, they've made lots and lots of changes for RC3, which is exactly the wrong thing to do with a Release Candidate. You only fix bugs, and get out another RC or the Gold. All the feature changes (such as removing PHP 5.3 deprecated functions, using common header/footer files, and all the security fixes) must go into the 2.3 stream, starting with Alpha 1. I don't know why I keep complaining about it -- the osC developers just have no idea of how to run a development effort.

 

In addition to removing admin/file_manager.php (and the language files if you wish), don't forget to also remove admin/define_language.php and its supporting language files. That's another hack vulnerability. And don't forget to scan all PCs used to administer your site for spyware, especially password sniffers and keystroke loggers that give a hacker your passwords as soon as you type them in. It's silly to go through the effort of cleaning up a site when the bad guy can just waltz right in to your control panel or FTP (change your passwords, regardless).

 

Regarding @Debs's changes, just make sure you have RewriteEngine On before them, and don't plunk them down in the middle of something else (you need to have a basic understanding of .htaccess). If in doubt, stick them at the very beginning or the very end, with RewriteEngine On added just before it.

Share this post


Link to post
Share on other sites

Regarding @Debs's changes, just make sure you have RewriteEngine On before them, and don't plunk them down in the middle of something else (you need to have a basic understanding of .htaccess). If in doubt, stick them at the very beginning or the very end, with RewriteEngine On added just before it.

I'll apply Deb's code to the htaccess file. You mentioned RewriteEngine On. Can you show me how that's coded? Also, the htaccess file is present but empty, with no code.

Share this post


Link to post
Share on other sites

Debs - Would you add this to the top of the htaccess file?

 

 

Add it to the bottom as then the rewrite etc. is already turned on. Place as the last thing in your htaccess.

 

If you rewrite your url's, then you already have this:

 

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

Share this post


Link to post
Share on other sites

Add it to the bottom as then the rewrite etc. is already turned on.

The file is currently blank... no code at all. Do I need to write that Rewrite code. If so, can you post it? Thanks.

Share this post


Link to post
Share on other sites

Wow. I was reading in the security forum and could work all weekend on these updates. I started a shared Google Doc (to share with my team) and keep finding things to add, modify, delete, etc. Is there not another way? When I started this day 14 hours ago, securing the site was not even on my task list.

Share this post


Link to post
Share on other sites

Another question about the htaccess file: Should I apply the same code mentioned above to the htaccess file for the catalog and admin directories? Thanks for all the help.

Share this post


Link to post
Share on other sites

Another question about the htaccess file: Should I apply the same code mentioned above to the htaccess file for the catalog and admin directories? Thanks for all the help.

I checked the htaccess file from the admin directory and noticed it has the following code:

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)
# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers
#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>
# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter
# AcceptPathInfo On
# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)
# php_value session.use_trans_sid 0
# php_value register_globals 1

Should I still add the code mentioned above?

Share this post


Link to post
Share on other sites

I checked the htaccess file from the admin directory and noticed it has the following code:

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)
# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers
#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>
# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter
# AcceptPathInfo On
# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)
# php_value session.use_trans_sid 0
# php_value register_globals 1

Should I still add the code mentioned above?

Why is your admin is not protected by htaccess?

...

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

...

 

Also, check post #29 >>here

Share this post


Link to post
Share on other sites

Why is your admin is not protected by htaccess?

 

 

Also, check post #29 >>here

The admin is protected by htaccess but I'm not sure what needs to be in the htaccess file. I posted it above.

Share this post


Link to post
Share on other sites

You may also want to consider that the problem could be with your host. Because they say it is your shops fault, doesn't make it true. And the statement that tech made shows he is not familiar with the patches available for oscommerce. Your host should be able to tell you how the hacker is getting in. If it is always the same and you haven't changed all of your logins, then installing any security patches is probably a waste of time until that is done.

Share this post


Link to post
Share on other sites

The admin is protected by htaccess but I'm not sure what needs to be in the htaccess file. I posted it above.

The htaccess you posted(post #17) is like a security guard which happens to be fast asleep; it's useless.

 

Just because you have htaccess in admin doesn't mean you're protected by it.

 

These lines should have been in your htaccess for admin to be password protected.

AuthUserFile /path/to/your/.htpasswd
AuthName Restricted_Area
AuthType Basic
require valid-user

You'll also need to at least 1 user with a generated encrypted password(s) in your htpasswd file.

 

The contents of your htpasswd file should look something like this.

 

brettg22:a4E7Bp3e7YNV

 

To disable password protect in htaccess, do this.

#AuthUserFile /path/to/your/.htpasswd
#AuthName Restricted_Area
#AuthType Basic
#require valid-user

 

To learn more about htaccess see >>here.

Share this post


Link to post
Share on other sites

Brett.

 

It is obvious that you failed to remove ALL of the malware as the hacker has gained access to your site again. My suggestion: Delete the site and start from scratch OR upload a KNOWN CLEAN back up of your site and ensure you have ALL the security patches installed and the appropriate security contributions installed.

 

This is the ONLY way to ensure the hacker has not hidden a back door.

 

 

Chris

Share this post


Link to post
Share on other sites

Hi if I do as suggested and delete the site starting from scratch does that mean we have to upload all the photos and input all the prices again?

Share this post


Link to post
Share on other sites

Does anyone have any suggestions as to which shopping cart to use and as I am a techno dummy how to I import or export all my files to the new shopping cart. My web designer is no longer around

Share this post


Link to post
Share on other sites

The database, which contains the product descriptions and prices, is rarely attacked by hackers. I don't know offhand of any specific osC exploits that go through a hacked database entry, but I won't guarantee that it's impossible. The image files of products shouldn't be a problem, so long has you have .htaccess controls to prevent execution of any script hidden within an image file. It's "just" a matter of cleaning out all .php files (and others supplied by osC) and replacing them with fresh copies from a good clean install package. Then you have to re-do any customization (add-ons) that you had on your old site.

 

Does anyone have any suggestions as to which shopping cart to use

Do you expect anyone here to recommend anything but osCommerce? If you're asking which version, definitely 2.2 RC2a rather than 3.0 alpha 5.

Share this post


Link to post
Share on other sites

×