VAZ2121 Posted August 3, 2010 Share Posted August 3, 2010 Hi I have also been hacked for about 6 months now (on and off). The following were the hardest to find: 1) In the Root: send_orders.php 2) In /includes/languages/english/cookie_usage.php All others had crazy names. Ad.1) "send_orders.php" This one is not a part of the standard OSC installation. This was also the worst. It's a complete hacker-console special designed for OSC. It includes a lot of functions to manipulate everythin on your site, and your mySQL-server. EVERYTHING. Made by professionals, complete with OSC-logo and all - plug and play, easy to use. The size is whooping 36 kb. Ad.2) "cookie_usage.php" Is a part of the standard OSC installation. Was changed to contain PHP-commands to delete/upload/download/update any file and a few more features. The most funny thing is, it's placed in your OSC-installation and left for a while. So, when you roll back the installation to a previous backup - it's also there! I have a copy of the hacker-console for those of you, who are developing anti-hacking-SW, OSC-team etc. Take care out there Link to comment Share on other sites More sharing options...
sayegames Posted August 8, 2010 Share Posted August 8, 2010 do you find any bug? iknow many osc site like me hacked by this tool. Link to comment Share on other sites More sharing options...
VAZ2121 Posted August 8, 2010 Author Share Posted August 8, 2010 I have not found how this got into my OSC. However, it all started by a Virus on a web-page (I visit a lot of Russian web-sites) The virus was very new (my anti-virus tool found it 1 month later) Resarch about this specific virus, told me it were steeling Username + Passwords from Filezilla (the FTP-upload program I used) So the hackers had 1 month, untill I knew something was wrong. At that time, the hackers could have placed a small PHP-file that will execute any command (via the EVAL()-function) into my OSC. I guess, this is what happened. I keept changning Password, but it did not help, since the small PHP-file are able to do anything. A lot of small PHP-files with the EVAL()-function appeared. Later the bigger Hacker-console was uploaded (via the small PHP-files or via the hidden EVAL's in my modified cookie_usage.php Yesterday new hacker-consoles were uploaded again. I have no idea how. All my OSC-files were valid, and there were no other files present. The new files are from other hackers, they all have some personal tag. The new hacker-consoles are just left ready to use, untill someone decides to activate them. Link to comment Share on other sites More sharing options...
sayegames Posted August 8, 2010 Share Posted August 8, 2010 what is yours anti virus? i use nod32 but i cant find any virus or trojan ... i dont think user and pass stolen from filezilla i login to some of my web sites 4-5 months ago and i dont save password in filezilla i think this is 99% a security bug in osc. if any one want modified files tell me too upload these files. (excuse me for my bad english) Link to comment Share on other sites More sharing options...
VAZ2121 Posted August 11, 2010 Author Share Posted August 11, 2010 The Virus I got just started the whole thing. The virus is long gone, and my User + Passw is safe again. The hackers put out my User + Passw + web-address on their hacker-forums. NOW, my web-site attracts a lot of OSC-hackers. I have cleaned my OSC serverel times, BUT the new attacks MUST be so called "Injections". The "Injection"-method is a security bug, not only in OSC, but in all web-sites based on the PHP-script-language. I'm not an experts in Injections, but it happens like this: You put some parameters (containing the evil code) like this: http:\\yoursite.com\index.php?="evilcodeandscripts The evil code is often just something that will Inject/upload a small PHP-file. This small PHP-file will then help the hacker to upload a larger, more powerfull tool. I have installed the contribution "Security Pro". This one checks all parameters and remove suspisious characters. So far, it works. My OSC has not been attacked. (your english is perfectly understandable :-) Link to comment Share on other sites More sharing options...
khoking Posted September 13, 2010 Share Posted September 13, 2010 Should I delete these two files if they exist in my OCS store? 1) In the Root: send_orders.php 2) In /includes/languages/english/cookie_usage.php Best regards, Koh Kho King Link to comment Share on other sites More sharing options...
JR Sales Company Posted September 15, 2010 Share Posted September 15, 2010 Should I delete these two files if they exist in my OCS store? 1) In the Root: send_orders.php 2) In /includes/languages/english/cookie_usage.php Item #1: Definitely. It is not part of OSC. Item #2: Get a fresh-install copy of that file, delete the existing one, and upload that fresh one. I would then set out to fix any security threats listed in the security threads. Link to comment Share on other sites More sharing options...
khoking Posted September 15, 2010 Share Posted September 15, 2010 Hi Jason, Thanks! Best regards, Koh Kho King Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.