Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

our websstore completely hacked into oblivion this morning (OSC 2.2)

phantompoet

By phantompoet
in Security

Recommended Posts

phantompoet

phantompoet

Posted
Posted

this morning we woke up to a weird order with the customers actual CC info entered. Problem is that our site has always used only paypal website payments standard for credit cards.

upon looking in the modules, i noticed the paypal website payments Module set to false, and the Credit card with CV2 module installed and activated.

 

there was also a new account with top administrator privledges ([email protected]) and the main icon for our catalog had been changed to an animated gif of the joker from the Dark Knight.

we deleted their account, but they kept recreating it, and finally they got in and deleted our entire catalog, customer base, and order history.

it has been replaced with dvds and junk.

 

we are going to try and get a backup going, but what do we need to do to make sure this person cant do this all over again? this is absolutely catastrophic.

We have one of our admins trying to restore it, but we are unable to get a hold of the developer (who built our site) yet.

 

If all else fails, i can have ISP restore from a backup a few days ago, but that wont prevent the person from getting in again, will it?

Link to comment
Share on other sites
geoffreywalton

♥geoffreywalton

Posted
Posted

No

 

You need to close cleanse the site and close all the loop holes.

 

Links on closing the loopholes and in my profile.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites
phantompoet

phantompoet

Posted
  • Author
Posted

Might be worth seeing if there is an [email protected] to report this to.

 

Sitemonitor might be a worthwhile addition to your admin after all other important mods.

 

Also take a careful look through your apache logs to at least try establish when and how this happened.

 

 

we restored the site from an earlier backup this morning,, but they just broke in again.. we're deleting them as soon as we pop up,,

i dont know what to do. we cant be on here 24/7,, we need this on lock-down.

 

i tried calling the helper admin but she is out right now...

last time she deleted the Credit card with CVV2 module, but they put it back.

 

we need to put the site on triple password lockdown so absolutely no new admins can be created.

Link to comment
Share on other sites
mdtaylorlrim

♥mdtaylorlrim

Posted
Posted

we restored the site from an earlier backup this morning,, but they just broke in again.. we're deleting them as soon as we pop up,,

i dont know what to do. we cant be on here 24/7,, we need this on lock-down.

 

i tried calling the helper admin but she is out right now...

last time she deleted the Credit card with CVV2 module, but they put it back.

 

we need to put the site on triple password lockdown so absolutely no new admins can be created.

The FIRST thing you need to do is password protect your entire site. At the root level. Then erase your entire site. Be sure you get it all. Ask your host for assistance to be sure you get every directory, every file, and every hidden object. You can even ask them to change your host to a different base directory.

 

Then restore your site from a known backup. And finally, be sure that all the security patches have been done, and the permissions are right (ftp clients are known to not upload the files and maintain the permissions that they were when downloaded.)

 

Only then should you remove the password protection from your root directory.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites
Wayne Weedon

Wayne Weedon

Posted
Posted

we restored the site from an earlier backup this morning,, but they just broke in again.. we're deleting them as soon as we pop up,,

i dont know what to do. we cant be on here 24/7,, we need this on lock-down.

 

i tried calling the helper admin but she is out right now...

last time she deleted the Credit card with CVV2 module, but they put it back.

 

we need to put the site on triple password lockdown so absolutely no new admins can be created.

 

 

Do you have the IP of the culprit? If it's static then an entry in .htaccess might keep them at bay for a while.

 

I use this in .htaccess when I'm altering/testing my store

 

order deny,allow

allow from MyIP

deny from all

 

OSC aside is your server control panel secure?

Link to comment
Share on other sites
phantompoet

phantompoet

Posted
  • Author
Posted

2 more attacks this morning and this afternoon just 10 mins ago. our admin put a lock an auto ban on anyone attempting to create new admin profiles, but they still managed to get in and change all the details of our store and delete the entire catalog & customer base leaving only a "johndoe". is it possible they installed this bot set to do this at regular intervals and that theyre not actually hacking INTO our site each time?

 

we strongly suspect that they began by hacking the admin account of the site designer, they would always change his email first. but even when we restore the site, our admin girl cannot delete his profile. if that something that is embedded really deep in the code and meant to be indestructible? if that is the case, could they have also planted some embedded auto-executable bot deep in the primary code as well?

Link to comment
Share on other sites
burt

burt

Posted
Posted

You need to have a person who knows osCommerce inside out examine EVERY php file by hand, and make any necessary changes/deletions etc.

Once the site is cleansed, that person will then apply security patches.

 

This assumes you do not have a known good (ie, clean) backup, which it sounds like you do not.

Link to comment
Share on other sites
Wayne Weedon

Wayne Weedon

Posted
Posted

Agreed, and I'd add block ANYone else from using/abusing the site either using .htaccess or mdtaylorlrim's solution of server level password protection of the site from root. At least while looking and testing.

 

Also learn how-to or discover where your apache logs are and take a good look at them.

Link to comment
Share on other sites
Wayne Weedon

Wayne Weedon

Posted
Posted

You said at the beginning that there was a "developer" who built your site?

 

No doubt money has changed hands but in all reality it does sound like what you have been provided is maybe very venerable to exploits.

 

If it's heavily modified (You make no mention of that) it may even be difficult to heal the install.

 

It may be time for you to take one step back and maybe start with a virgin install of an official Osc release and ensure it's not accessible to anyone but you and maybe a trusted other person while you apply the recommended security modifications as detailed in the "how to secure your site" thread.

 

Wayne...

Link to comment
Share on other sites
phantompoet

phantompoet

Posted
  • Author
Posted

You said at the beginning that there was a "developer" who built your site?

 

No doubt money has changed hands but in all reality it does sound like what you have been provided is maybe very venerable to exploits.

 

If it's heavily modified (You make no mention of that) it may even be difficult to heal the install.

 

It may be time for you to take one step back and maybe start with a virgin install of an official Osc release and ensure it's not accessible to anyone but you and maybe a trusted other person while you apply the recommended security modifications as detailed in the "how to secure your site" thread.

 

Wayne...

 

no break-ins since yesterday afternoon. yess!!! yesterday was had the ISP load a backup from earlier in the week the week, then our admin quickly slammed on all the safety measures she had attempted during the subsequent attacks.

everything in the sticky thread up top has been applied. she would be notified immediately by email if any changes to setting are made or attempts to create new admin will be met with instant ban

 

i did get a hold of the developer last nite by emailing thru his wife's webstore site (also oscommerce), but currently his admin is disabled (maybe for the better since his account was always the one the hacker would initially change the password).

 

i slept last nite for the first time in days... thank you for your advice.

Link to comment
Share on other sites
geoffreywalton

♥geoffreywalton

Posted
Posted

Well done.

 

Nice to hear a success story. :-)

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites
Juack

Juack

Posted
Posted

we had a similar problem, not with ccv but with files, we got our oscommerce site (v 2.2 rs2a). In our sites new files appear and so we detected we had a problem. We contacted with a solution to perform online intrusion test and they detected the problem and we could be able to resolve it. Basically the told us that the vulnerability allows to create and download files....or also to perform a database backup and download it. Please write me if you need more info.

Link to comment
Share on other sites
  • 2 weeks later...
BooleanOperator

BooleanOperator

Posted
Posted

we had a similar problem, not with ccv but with files, we got our oscommerce site (v 2.2 rs2a). In our sites new files appear and so we detected we had a problem. We contacted with a solution to perform online intrusion test and they detected the problem and we could be able to resolve it. Basically the told us that the vulnerability allows to create and download files....or also to perform a database backup and download it. Please write me if you need more info.

 

Not sure this is your issue but we found there is a weakness in one of the versions of the 'Admin w/access levels' mod (distributed with osMax a few years back).

In admin/includes/application_top.php there is an if statement that can fool php into thinking that any page you are viewing is the login.php page which requires no login; this allows a hacker to preform any admin function remotely by specifying /login.php in the url. (e.g. admin_members.php/login.php)

 

Orginal code:

 if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {
   tep_admin_check_login();
 }

 

Fix tested on apache 1.3 & php4:

 if (basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {
   tep_admin_check_login();
 }

Fix tested on apache 2x & php5:

 if (basename($_SERVER['PHP_SELF']) != FILENAME_LOGIN && basename($_SERVER['PHP_SELF']) != FILENAME_PASSWORD_FORGOTTEN) {
   tep_admin_check_login();
 }

 

The fix depends on which variable gives you the proper page and that depends on your server version and settings. If the above dont work, use print_r($_SERVER) to find the variable that gives you the correct filename.

Mikhail

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...