Jump to content

Archived

This topic is now archived and is closed to further replies.

Snarg

Was this a hack attempt?

Recommended Posts

The site was chugging along with no problems at all until today. When I tried to access my site I got a 505 error. I called my hosts tech support to report the problem. They took a look and said that my .htaccess file was not configured correctly. This was odd, since I have not touched that file for well over a year. I downloaded my .htaccess file to my computer and opened it up. There was strange string appended to the end. I deleted the file from the server and uploaded a clean copy from my backup (Note to those who don't do this: Backup your site on a REGULAR basis!!). Once I did this, the site loaded back up, but a lot of my images were missing.

 

At this point, it may be important to note that English was NOT my tech support reps primary language. I attempted to explain to her that I did not change my .htaccess file. She said the hosting service did not change it. So, if I didn't change it and they didn't change it, then who did? After about fifteen minutes of back and forth, attempting to get her to get my point, I ran out of time and patience. The site was working, sort of, and I would delve into the problem further when I had more time.

 

So, later on in the evening I start to dig around my site. The original .htaccess file was back in place by my images were messed up. When I FTP'd to my images folder, I found an .htaccess file in it. There was no .htaccess file in my backup of the site so, I figure, what the hell. I deleted the .htaccess file on my host. Sure enough, images come back up. Odd, right? Now I started to dig around the site and I find that there is an .htaccess file in every folder that has .php files. Below is a copy of what these .htaccess files had in them:

 

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4

 

I have no clue what that means. I could not find a folder called '/tmp/25454b22bf39c75795851f39d5e347c4' on my site. If anyone could tell me what might have been going on, that would be appreciated.

 

Thank you in advance for any help you can provide.

Share this post


Link to post
Share on other sites

@Scott,

 

 

The htaccess allows the hacker to execute php files from the folders that would not normally allow executions.

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, PM me for help, because if you miss any of these steps your site may remain accessible to the hacker.

 

@Jonathan,

 

Wordpress is a known hacker vulnerability. Ensure you are using the latest WP to help prevent hacker attacks.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

This line

 

php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4

 

is telling the site to PREPEND (attach to the beginning of data) whatever that consists of - which could be absolutely anything (could be written on the fly, then removed.

 

So...yes, your site is hacked.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

This happens also today on our root server.

 

the hacker created / motified about 45'000 .htaccess files with the following code:

 

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4

 

But we didn't find out how the hacker logged in to our server.

There must be a security exploit in the software wordpress / oscommerce / magento or directly in apache?

 

Do anyone know, if there is a security patch for this?

 

Best regards

dsone

Share this post


Link to post
Share on other sites

Had exactly the same thing this AM on our site.

 

I also found a file called ____sh3llX.php that provides full access to our entire server! And is clearly something the hackers are using.

 

Worth checking to see if you have this as well.

 

Cheers, Adrian

Share this post


Link to post
Share on other sites

@DunWeb:

 

Thank you for the reply. I'll start working on the steps you listed as soon as possible. I will probably have one or two questions for you though.

 

Any thoughts/ideas as to how they may have gained access?

Share this post


Link to post
Share on other sites

Scott,

 

Oscommerce AND Wordpress have known vulnerabilities. You will find information in the two security thread links I sent in message #3, however you will need to check the Wordpress forums for their security patches and possibly need to update that software.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Chris,

 

I don't use WordPress, so at least I don't have to worry about that one. I sent you a PM, looking forward to your response.

Share this post


Link to post
Share on other sites

OK, I've also found it in my OSC script. I've deleted everything in that directory and re-loaded clean backup - unfortunately this dreaded "output started at /tmp/25454b22bf39c75795851f39d5e347c4:386" is still there...

Is it possible it's somewhere in the database and if so - how to find it and remove it?

Share this post


Link to post
Share on other sites

OK, found out it's in almost every folder on my account! It would take me forever, so I asked my host to go back a couple of days and I will stop the script till I can put some security measures in.

Too bad nobody warn us about this problem!

Share this post


Link to post
Share on other sites

Chris,

 

The security issues with MS2.2 and up have been documented and patches available since mid 2009.

 

Too bad nobody warn us about this problem!

 

If you mean, 'to bad you don't have a website developer to keep your site up to date at all times' ? Well, I am sure there are some here that offer paid support plans.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Chris,

 

The security issues with MS2.2 and up have been documented and patches available since mid 2009.

 

 

What is MS2.2????

Share this post


Link to post
Share on other sites

BTW, this latest attack was this morning and many sites fell victim to it in spite of server security

Share this post


Link to post
Share on other sites

OK, I've also found it in my OSC script. I've deleted everything in that directory and re-loaded clean backup - unfortunately this dreaded "output started at /tmp/25454b22bf39c75795851f39d5e347c4:386" is still there...

Is it possible it's somewhere in the database and if so - how to find it and remove it?

 

Gents, as this is an open forum, could you share your deliberations with the community? I have the same issue and it would be help to see which bit of OSC is vulnerable.

Share this post


Link to post
Share on other sites

Gents, as this is an open forum, could you share your deliberations with the community? I have the same issue and it would be help to see which bit of OSC is vulnerable.

 

I'm not sure yet, but this same .htaccess stuff is hiding in almost every folder on the account.

I hope somebody can give us a real help.

Share this post


Link to post
Share on other sites

Hi,

 

My client hosts two websites that use oscommerce on the same server, and both of them got hit with this attack 3 days in a row. After cleaning out the site several times, I can tell you what you should be looking for. First, all existing .htaccess files on the your web server will most likely have the following code:

 

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html

php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4

 

Delete this code from the bottom of the files. You will also find that just about every folder, including some outside of the catalog directory will have a new .htaccess file in it with the same script. It will be about 139 kilobytes in size. You'll need to go through the directories one by one using an FTP program and delete this file manually. If you come across a file that is larger in size download it and open it up in notepad, delete the script, and upload it back to the server.

 

Next, go to your catalog/images directory and delete any php, txt, log, or html files that don't belong there. I added my own .htaccess file to the images folder.

 

The hacker probably has access to your admin area and database, but changing your passwords are not enough. Use PhpMyAdmin to access your database and delete any unknown usernames and passwords from the "administrators" table. I had about six entries that I didn't put there myself.

 

Change all your passwords. Install the recommended security add-ons. Keep your fingers crossed.

 

Good Luck,

 

Walt

Share this post


Link to post
Share on other sites

dealwititp

 

Could you please post your htaccess in the images folder?

 

 

Your .htaccess in your images folder should contain the following:

 


# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

 

And nothing else, so if yours contains anything other than the above code delete it and replace it with the above


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Had the same happen to me 2 days ago. Luckily no major damage. I was not sure how they got in, but since other oscommerce users have had the exploit and it is the only opensource app I have on the server it puts it at the top. I altered the site to use php safe mode and stopped the sessions from writing to the /tmp directory. So far so good. Have not moved the admin directory but am looking into it.

I'm sure keeping a close eye on the /tmp folder and sites for sure.

Share this post


Link to post
Share on other sites

Hi everybody,

 

This is indeed caused by OsCommerce. Many sites were compromised as a result, attacking .htaccess files whereever they struck (thank God for backups!)

 

Glancing at a few of the .php files, I noticed they do attack your database. Your configuration files are used. Change your DB password!

 

dealwititp made a good point, change your passwords, delete the .php files, update your OsCommerce, hide your kids, hide your wife... and hide your husband, cause they're raping everybody out here.

 

Take care everybody, good luck!

Share this post


Link to post
Share on other sites

I've asked my host to delete the whole account and re-create it from a backup from before the attack, which was yesterday at 8:37 am

and it worked. I've changed passwords and added security features and keep my fingers crossed...

Share this post


Link to post
Share on other sites

×