Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

JDREMM

hacked i would guess

21 posts in this topic

right. i am a total noob... this starts the convo off pretty well i know... i made this site... well actually this is the first thing i have ever done web wise. we had a really crap website. (yes crapper than this one). so i followed the instructions and having never done anything like this before i normally just surf youtube thats about it...

 

anywyas on to the reason for my problem... when you try and go to my store now (it was fine for about a month) it freeks out and says there is malicious software on it or something liek that...

 

i know this problem has been addressed it would be easier if someone would put it in terms like the install precedures so i could fix it. or can someone PM me who would be interested to fixing this for me... :S

 

i knowi will get a lil abuse for being such a noob. but i thought i would ask anyways.

 

cheers

 

John

Share this post


Link to post
Share on other sites

John,

 

You will need to clean out the malicious code and files and then use webmaster tools to submit the clean site to google for re-evaluation.

 

Look for any files that are NOT part of the standard osCommerce download and remove them. Then, check each osCommerce file for scripts and code that redirect your traffic off the site.

 

 

 

Chris

Share this post


Link to post
Share on other sites

ok thanks :D will try and give that a go...

 

i just realised that i didnt actually post the site if anyone wanted to look at the code...

 

store.khouse.org.uk/

 

its a small christian book store any light shed would be awesome.

 

thanks guys

Share this post


Link to post
Share on other sites

Hack files in the root folder:

 

gogle_analist_3d6fa6465727d.php

goog1e1e9163b3ca51bb.php

goog1e40b95b3736ac6e.php

goog1e663023271039ca.php

goog1e72c0c885c9b967.php

goog1e_analist_3d6fa6465727d.php

goog1e_analist_698dbc436d8728.php

google_analist_3d6fa6465727d.php

google_analist_d8ed379f4d946043ceb12458dfc393ac.php

 

There are probably similarly named hack files in the images folder.

 

You're suffering from the "admin vulnerablility" hack.

 

Rename it and secure it with a .htaccess file

Share this post


Link to post
Share on other sites

John,

 

I can see your site is now on the 'Attack Site' List. You need to clean it and then re-submit it for indexing so you are removed from that list.

 

 

 

Chris

Share this post


Link to post
Share on other sites

There are two new hack files.

 

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).

:o

 

If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).

Share this post


Link to post
Share on other sites

There are two new hack files.

 

One is a command shell that basically lets anyone who accesses it do just about anything they want on the site (add files, delete files, modify files or the DB).

:o

 

If he ever comes back I hope he sends me a PM and I'll divulge the file names (if he can't find them on his own).

 

 

REALLY!!! omg!!! yeah i am back ! alas i am not actually a web guy i just work for a charity and followed the steps on this site to get us a shop to sell stuff on... yeah any info pm'd or given woudl be REALLY awesome! or email direct to johnandrachel@matsen.co.uk if thats a better idea i dont know :D

 

cheers

Share this post


Link to post
Share on other sites

OK so I got hit also. In my case files were added to server and my admin panel was open to the world. I have concerns about going back with osCommerce. I am installing it from my hosting company, Netfirms. What do I need to do to lock this down? Also, I don't like having the credit card info stored indefinitly. Can I dump it after processing an order?

 

I have since deleted all files from the server and have done a fresh install. Whats next?

Share this post


Link to post
Share on other sites

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.

:o

 

As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

 

To secure your site visit the link below:

 

How to Secure Your Site

Share this post


Link to post
Share on other sites

due to awesome help i think i got this sorted... thanks guys will report back when i know... one more... how do i resubmitt to get the mal software notice off my site now that its fixed :P

Share this post


Link to post
Share on other sites

If you're storing CC info and you're not PCI Compliant ( <= it's a link, click it to read more) you can be fined hundreds of thousands of dollars.

ohmy.gif

 

As far as I know "stock" osC doesn't store CC info - you have to modify it to get it to do that.

 

To secure your site visit the link below:

 

How to Secure Your Site

 

 

unfortunately it does .... Orders table `cc_number`

recorded if someone used the test CC (not for production) module.

It records everything, which is a very dangerous thing to do!!

I hope it is removed in 2.3

Nic

Share this post


Link to post
Share on other sites

unfortunately it does .... Orders table `cc_number`

recorded if someone used the test CC (not for production) module.

It records everything, which is a very dangerous thing to do!!

I hope it is removed in 2.3

Nic

D*mn!

:o

 

Sometimes the wheels of change turn very slowly....

:-"

Share this post


Link to post
Share on other sites

Yep and Im the noob that used it.

 

So the version Im on is osCommerce 2.2-MS2. Is this good or do I need to update files as I am securing? Also the hosting company I use has osCMax. Is osCMax more secure or what?

Share this post


Link to post
Share on other sites

Hack files in the root folder:

 

gogle_analist_3d6fa6465727d.php

goog1e1e9163b3ca51bb.php

goog1e40b95b3736ac6e.php

goog1e663023271039ca.php

goog1e72c0c885c9b967.php

goog1e_analist_3d6fa6465727d.php

goog1e_analist_698dbc436d8728.php

google_analist_3d6fa6465727d.php

google_analist_d8ed379f4d946043ceb12458dfc393ac.php

 

There are probably similarly named hack files in the images folder.

 

You're suffering from the "admin vulnerablility" hack.

 

Rename it and secure it with a .htaccess file

Share this post


Link to post
Share on other sites

Hack files in the root folder:

 

gogle_analist_3d6fa6465727d.php

goog1e1e9163b3ca51bb.php

goog1e40b95b3736ac6e.php

goog1e663023271039ca.php

goog1e72c0c885c9b967.php

goog1e_analist_3d6fa6465727d.php

goog1e_analist_698dbc436d8728.php

google_analist_3d6fa6465727d.php

google_analist_d8ed379f4d946043ceb12458dfc393ac.php

 

There are probably similarly named hack files in the images folder.

 

You're suffering from the "admin vulnerablility" hack.

 

Rename it and secure it with a .htaccess file

 

 

Hello,

I got very similar files on my website public_html and in images folder as well:

goog1e_analist_add15da98d3a

goog1e_analist_10adc48720b439

goog1e45361ec6937e93 and many more.

I deleted them, but I am worry about maybe they left somewhere on my website.

Maybe you could help me to destroy them, because sometimes when I login to my oscommerce my PC anti-virus shows "blocked trojan", so I think these files are still in my website somewhere.

Please help me.

Share this post


Link to post
Share on other sites

Inesa,

 

That particular is known for adding a back door to your site, which gives them access as long as the backdoor is present. I suggest you look at each file for malicious code and remove all files that are not oscommerce files. And, above ALL else........secure your website by reading the security forums.

 

 

Chris

Share this post


Link to post
Share on other sites

Hack files in the root folder:

 

gogle_analist_3d6fa6465727d.php

goog1e1e9163b3ca51bb.php

goog1e40b95b3736ac6e.php

goog1e663023271039ca.php

goog1e72c0c885c9b967.php

goog1e_analist_3d6fa6465727d.php

goog1e_analist_698dbc436d8728.php

google_analist_3d6fa6465727d.php

google_analist_d8ed379f4d946043ceb12458dfc393ac.php

 

There are probably similarly named hack files in the images folder.

 

You're suffering from the "admin vulnerablility" hack.

 

Rename it and secure it with a .htaccess file

 

How do I make my .htaccess file secure? I have read about blocking certain countries but I don't know how to do that. Help!? Thanks! Also, if you could tell me which countries should be blocked. I read about Russia but don't know any others.

Share this post


Link to post
Share on other sites

How do I make my .htaccess file secure? I have read about blocking certain countries but I don't know how to do that. Help!? Thanks! Also, if you could tell me which countries should be blocked. I read about Russia but don't know any others.

 

I have this in my .htaccess file

 

# secure htaccess file

<Files .htaccess>

order allow,deny

deny from all

</Files>

#

 

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

 

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

 

None of those countries I would imagine selling to considering my products markets.

 

There are a few more possibly.

Share this post


Link to post
Share on other sites

I have this in my .htaccess file

 

# secure htaccess file

<Files .htaccess>

order allow,deny

deny from all

</Files>

#

 

As for countries to block, you have to decide where you are indending to do business. ie Would blocking a whole country affect a signifcant number of sales.

 

I have found the countries most likely to host an attack are in rough order of first to last, Turkey, Ukraine, Russian Federation, China and Pakistan.

 

None of those countries I would imagine selling to considering my products markets.

 

There are a few more possibly.

 

 

How do I add these countries to the .htaccess for blocking? Thanks!

Share this post


Link to post
Share on other sites

Cindy,

 

Use Country IP Block to generate the IP's you want to block. It will give you the code and the IP's, all you have to do is paste it into you .htaccess file.

 

 

 

Chris

Share this post


Link to post
Share on other sites