Jump to content

Archived

This topic is now archived and is closed to further replies.

jgeoff

"closed by salton sea"?

Recommended Posts

Been hacked 3x recently, twice the past 2 days. Plan on implementing the "How to secure your osCommerce" tips now. Password protected the /admin directory as well as changed all passwords.

 

But this is the first time they found their way into /admin, apparently. I found a questionable "administrator" and deleted it. But when I click on Catalog I just get a text message saying "closed by salton sea" and I cannot access the catalog. I've requested a full backup from my web host, but I'm curious about this as I cannot find "closed by salton sea" anywhere...

 

Any ideas?

 

And, are there any security benefits to upgrading from v2.2 RC2a to a later version?

 

Thanks!


osC v2.2 RC2a w/ no special templates

PHP Version 5.2.14 / MySQL 5.0.91-community

Share this post


Link to post
Share on other sites

PS - I'm getting various files added to my osc directory that look like this:

 

0c75c437a3ea7d77f778316a9bc30e95

 

with contain just a random decimal like 0.6

 

Are these hacker-related files?


osC v2.2 RC2a w/ no special templates

PHP Version 5.2.14 / MySQL 5.0.91-community

Share this post


Link to post
Share on other sites

Yes, those random files are generated by the scripts the hacker is using on your website.

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, PM me for help, because if you miss any of these steps your site may remain accessible to the hacker.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Thanks for the tips; I plan on going through them.

 

My host restored a backup from 2 days ago, but I'm still getting the "closed by salton sea" message when trying to access my catalog via admin. Any ideas where that may be coming from?


osC v2.2 RC2a w/ no special templates

PHP Version 5.2.14 / MySQL 5.0.91-community

Share this post


Link to post
Share on other sites

The message is coming from the hack. You will need to identify and remove all malicious code and anomalous files from your server.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

The message is coming from the hack. You will need to identify and remove all malicious code and anomalous files from your server.

 

Could it be embedded in the database itself? I can't seem to find any more wayward files, but I'll look again - thanks


osC v2.2 RC2a w/ no special templates

PHP Version 5.2.14 / MySQL 5.0.91-community

Share this post


Link to post
Share on other sites

I cleaned a site once where the malicious code was in the database.

 

This isn't the "norm", but it is possible for a hacker to hijack the DB to store his code.

 

It does make it harder to locate, on average.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Of the last 10 I've cleaned, 8 injected the database with unwanted "goodies".

 

Most likely spots are ; administrators table, banners table, manufacturers table.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

Well, I figured out the "closed by salton sea" ... admin/categories.php was replaced with that text. I did not discover it until I realized it was only 22 bytes long, but it had the SAME DATE as the original file!

 

How's that possible?? I look for new/changed files by date. If they can get past that, then things just got a lot more difficult. :/


osC v2.2 RC2a w/ no special templates

PHP Version 5.2.14 / MySQL 5.0.91-community

Share this post


Link to post
Share on other sites

×