Snarg Posted January 25, 2011 Share Posted January 25, 2011 The site was chugging along with no problems at all until today. When I tried to access my site I got a 505 error. I called my hosts tech support to report the problem. They took a look and said that my .htaccess file was not configured correctly. This was odd, since I have not touched that file for well over a year. I downloaded my .htaccess file to my computer and opened it up. There was strange string appended to the end. I deleted the file from the server and uploaded a clean copy from my backup (Note to those who don't do this: Backup your site on a REGULAR basis!!). Once I did this, the site loaded back up, but a lot of my images were missing. At this point, it may be important to note that English was NOT my tech support reps primary language. I attempted to explain to her that I did not change my .htaccess file. She said the hosting service did not change it. So, if I didn't change it and they didn't change it, then who did? After about fifteen minutes of back and forth, attempting to get her to get my point, I ran out of time and patience. The site was working, sort of, and I would delve into the problem further when I had more time. So, later on in the evening I start to dig around my site. The original .htaccess file was back in place by my images were messed up. When I FTP'd to my images folder, I found an .htaccess file in it. There was no .htaccess file in my backup of the site so, I figure, what the hell. I deleted the .htaccess file on my host. Sure enough, images come back up. Odd, right? Now I started to dig around the site and I find that there is an .htaccess file in every folder that has .php files. Below is a copy of what these .htaccess files had in them: AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4 I have no clue what that means. I could not find a folder called '/tmp/25454b22bf39c75795851f39d5e347c4' on my site. If anyone could tell me what might have been going on, that would be appreciated. Thank you in advance for any help you can provide. Link to comment Share on other sites More sharing options...
jonathanbj Posted January 25, 2011 Share Posted January 25, 2011 The same thing happened to one of my Wordpress sites yesterday! Propably a hack! Link to comment Share on other sites More sharing options...
Guest Posted January 25, 2011 Share Posted January 25, 2011 @Scott, The htaccess allows the hacker to execute php files from the folders that would not normally allow executions. Follow these steps to clean and secure your website: 1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code. 2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. 3) Delete the files on your hosting account before uploading the clean files. 4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security. 5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE 6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444 7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list' 8) Remove the .htaccess password protection so your customers can resume making purchases from your website. 9) Monitor your website using the newly installed contributions to prevent future hacker attacks. 10) If you feel you can not perform any of the above steps, PM me for help, because if you miss any of these steps your site may remain accessible to the hacker. @Jonathan, Wordpress is a known hacker vulnerability. Ensure you are using the latest WP to help prevent hacker attacks. Chris Link to comment Share on other sites More sharing options...
burt Posted January 25, 2011 Share Posted January 25, 2011 This line php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4 is telling the site to PREPEND (attach to the beginning of data) whatever that consists of - which could be absolutely anything (could be written on the fly, then removed. So...yes, your site is hacked. Link to comment Share on other sites More sharing options...
dsone Posted January 25, 2011 Share Posted January 25, 2011 This happens also today on our root server. the hacker created / motified about 45'000 .htaccess files with the following code: AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4 But we didn't find out how the hacker logged in to our server. There must be a security exploit in the software wordpress / oscommerce / magento or directly in apache? Do anyone know, if there is a security patch for this? Best regards dsone Link to comment Share on other sites More sharing options...
Padstow Posted January 25, 2011 Share Posted January 25, 2011 Had exactly the same thing this AM on our site. I also found a file called ____sh3llX.php that provides full access to our entire server! And is clearly something the hackers are using. Worth checking to see if you have this as well. Cheers, Adrian Link to comment Share on other sites More sharing options...
dsone Posted January 25, 2011 Share Posted January 25, 2011 i checked the server now, we don't have this file.... so they must come through a other way... Link to comment Share on other sites More sharing options...
Snarg Posted January 25, 2011 Author Share Posted January 25, 2011 @DunWeb: Thank you for the reply. I'll start working on the steps you listed as soon as possible. I will probably have one or two questions for you though. Any thoughts/ideas as to how they may have gained access? Link to comment Share on other sites More sharing options...
Guest Posted January 25, 2011 Share Posted January 25, 2011 Scott, Oscommerce AND Wordpress have known vulnerabilities. You will find information in the two security thread links I sent in message #3, however you will need to check the Wordpress forums for their security patches and possibly need to update that software. Chris Link to comment Share on other sites More sharing options...
Snarg Posted January 25, 2011 Author Share Posted January 25, 2011 Chris, I don't use WordPress, so at least I don't have to worry about that one. I sent you a PM, looking forward to your response. Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 OK, I've also found it in my OSC script. I've deleted everything in that directory and re-loaded clean backup - unfortunately this dreaded "output started at /tmp/25454b22bf39c75795851f39d5e347c4:386" is still there... Is it possible it's somewhere in the database and if so - how to find it and remove it? Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 OK, found out it's in almost every folder on my account! It would take me forever, so I asked my host to go back a couple of days and I will stop the script till I can put some security measures in. Too bad nobody warn us about this problem! Link to comment Share on other sites More sharing options...
Guest Posted January 26, 2011 Share Posted January 26, 2011 Chris, The security issues with MS2.2 and up have been documented and patches available since mid 2009. Too bad nobody warn us about this problem! If you mean, 'to bad you don't have a website developer to keep your site up to date at all times' ? Well, I am sure there are some here that offer paid support plans. Chris Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 Chris, The security issues with MS2.2 and up have been documented and patches available since mid 2009. What is MS2.2???? Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 BTW, this latest attack was this morning and many sites fell victim to it in spite of server security Link to comment Share on other sites More sharing options...
Guest Posted January 26, 2011 Share Posted January 26, 2011 OK, I've also found it in my OSC script. I've deleted everything in that directory and re-loaded clean backup - unfortunately this dreaded "output started at /tmp/25454b22bf39c75795851f39d5e347c4:386" is still there... Is it possible it's somewhere in the database and if so - how to find it and remove it? Gents, as this is an open forum, could you share your deliberations with the community? I have the same issue and it would be help to see which bit of OSC is vulnerable. Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 Gents, as this is an open forum, could you share your deliberations with the community? I have the same issue and it would be help to see which bit of OSC is vulnerable. I'm not sure yet, but this same .htaccess stuff is hiding in almost every folder on the account. I hope somebody can give us a real help. Link to comment Share on other sites More sharing options...
dealwititp Posted January 26, 2011 Share Posted January 26, 2011 Hi, My client hosts two websites that use oscommerce on the same server, and both of them got hit with this attack 3 days in a row. After cleaning out the site several times, I can tell you what you should be looking for. First, all existing .htaccess files on the your web server will most likely have the following code: AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html php_value auto_prepend_file /tmp/25454b22bf39c75795851f39d5e347c4 Delete this code from the bottom of the files. You will also find that just about every folder, including some outside of the catalog directory will have a new .htaccess file in it with the same script. It will be about 139 kilobytes in size. You'll need to go through the directories one by one using an FTP program and delete this file manually. If you come across a file that is larger in size download it and open it up in notepad, delete the script, and upload it back to the server. Next, go to your catalog/images directory and delete any php, txt, log, or html files that don't belong there. I added my own .htaccess file to the images folder. The hacker probably has access to your admin area and database, but changing your passwords are not enough. Use PhpMyAdmin to access your database and delete any unknown usernames and passwords from the "administrators" table. I had about six entries that I didn't put there myself. Change all your passwords. Install the recommended security add-ons. Keep your fingers crossed. Good Luck, Walt Link to comment Share on other sites More sharing options...
Follkes Posted January 26, 2011 Share Posted January 26, 2011 dealwititp Could you please post your htaccess in the images folder? Link to comment Share on other sites More sharing options...
Xpajun Posted January 26, 2011 Share Posted January 26, 2011 dealwititp Could you please post your htaccess in the images folder? Your .htaccess in your images folder should contain the following: # $Id$ # # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> And nothing else, so if yours contains anything other than the above code delete it and replace it with the above My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
fast928 Posted January 26, 2011 Share Posted January 26, 2011 Had the same happen to me 2 days ago. Luckily no major damage. I was not sure how they got in, but since other oscommerce users have had the exploit and it is the only opensource app I have on the server it puts it at the top. I altered the site to use php safe mode and stopped the sessions from writing to the /tmp directory. So far so good. Have not moved the admin directory but am looking into it. I'm sure keeping a close eye on the /tmp folder and sites for sure. Link to comment Share on other sites More sharing options...
bugmenot Posted January 26, 2011 Share Posted January 26, 2011 Hi everybody, This is indeed caused by OsCommerce. Many sites were compromised as a result, attacking .htaccess files whereever they struck (thank God for backups!) Glancing at a few of the .php files, I noticed they do attack your database. Your configuration files are used. Change your DB password! dealwititp made a good point, change your passwords, delete the .php files, update your OsCommerce, hide your kids, hide your wife... and hide your husband, cause they're raping everybody out here. Take care everybody, good luck! Link to comment Share on other sites More sharing options...
dowser Posted January 26, 2011 Share Posted January 26, 2011 I've asked my host to delete the whole account and re-create it from a backup from before the attack, which was yesterday at 8:37 am and it worked. I've changed passwords and added security features and keep my fingers crossed... Link to comment Share on other sites More sharing options...
Follkes Posted January 27, 2011 Share Posted January 27, 2011 Thank you Xpajun Yours its more restrictive ..XD Link to comment Share on other sites More sharing options...
spoofy Posted January 27, 2011 Share Posted January 27, 2011 So, was anyone able to figure out how the sites were hacked? My Contributions: Google XML Sitemap SEO compatible with Ultimate SEO URL by FWR Media ::: Accurate & Precise Bread Crumb Trail Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.