Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

vulnerabilities that allowed hackers to upload malicious scripts


songbird

Recommended Posts

Hi there

 

My site has had to be disabled by my hosters due to a vulnerability that allowed hackers to upload malicious scripts to the server

 

Can anyone help with a fix on how to close this vulnerability urgently?

 

Am posting info from the hosters here

 

Your website was used to upload a malicious script to your catalog/images directory:

 

catalog/images:

 

-rwxrwxrwx 1 apache apache 71K Jul 10 23:05 gh.php

 

This is a script that allows a third party to execute a number of commands on the server. As you can see from the owner and group, the file is owned by the web server user, indicating that it was created/uploaded via your website.

 

The access logs show the following just before the file was created/uploaded:

 

88.253.236.222 - - [10/Jul/2010:23:05:03 +0200] "POST /catalog/admin/login.php?action=create HTTP/1.1" 302 - "http://footfashionsa.host4africa.org/catalog/a'>http://footfashionsa.host4africa.org/catalog/ad'>http://footfashionsa.host4africa.org/catalog/a'>http://footfashionsa.host4africa.org/catalog/ad

min/login.php" "Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60"

 

88.253.236.222 - - [10/Jul/2010:23:05:06 +0200] "POST /catalog/admin/login.php?action=process HTTP/1.1" 302 - "http://footfashionsa.host4africa.org/catalog/a'>http://footfashionsa.host4africa.org/catalog/a

dmin/login.php" "Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60"

 

88.253.236.222 - - [10/Jul/2010:23:05:41 +0200] "POST /catalog/admin/categories.php?action=update_category&cPath= HTTP/1.1" 302 - "http://footfashionsa.host4 africa.org/catalog/admin/categories.php?cPath=&cID=21&action=edit_category"

"Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60"

 

The vulnerability more than likely exists within one of these scripts.

 

 

We then view further on in your access log and see that the malicious script is

accessed:

 

88.253.236.222 - - [10/Jul/2010:23:05:43 +0200] "GET /catalog/images/gh.php HTTP/1.1" 200 101357 "http://footfashionsa.host4africa.org/catalog/a'>http://footfashionsa.host4africa.org/catalog/ad'>http://footfashionsa.host4africa.org/catalog/a'>http://footfashionsa.host4africa.org/catalog/admin/categori

es.php?cPath=&cID=21" "Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60" 88.253.236.222 - - [10/Jul/2010:23:05:49 +0200] "GET /catalog/images/gh.php HTTP/1.1" 200 101357 "-" "Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Versio n/10.60" 88.253.236.222 - - [10/Jul/2010:23:06:03 +0200] "POST /catalog/images/gh.php HTTP/1.1" 200 48457 "http://footfashionsa.host4africa.org/catalog/images/gh.php"

"Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60" 78.172.183.44 - - [10/Jul/2010:23:10:01 +0200] "POST /catalog/images/gh.php HTTP/1.1" 200 48437 "http://footfashionsa.host4africa.org/catalog/images/gh.php"

"Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.30 Version/10.60"

 

 

There are a number of these entries as the malicous party executes various commands on the server.

Link to comment
Share on other sites

First, if you don't have a file named .htaccess in your images directory, create a file named .htaccess and add this line to it

Options All -Indexes

. Then upload that to your images directory.

 

Second, hosts don't normally bother to check if a site gets hacked since that is the shop owners responsibility. So my guess is that your host is running a non-secure server and realize their setup can allow a hacker in through your site. The only fix for that is to move to a host that is properly setup for web shops. Since, if that is the case, it also means your shop is at risk if some other site on the server gets hacked.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...