Jump to content

Archived

This topic is now archived and is closed to further replies.

sunshynecraftsbeads

Website has been Hacked

Recommended Posts

Hi,

 

Last night when I was on my website I noticed some changes made to my items so I did the security check from my website admin and it showed that someone had made a bunch of changes to my website. It provided me with a list of area's that changes were made.

 

Today I went to sign in to my website/admin ( actually different ) but it will not allow me to sign in.

 

Error: Invalid administrator login attempt.

 

I have looked at my website www.sunshynecraftsbeads.com and it is still up and running.

 

I know my password so I know that I am typing it in right. Is there anything I can do ???

 

Thank you in advance,

Tracie

Share this post


Link to post
Share on other sites

Tracie, access your database via phpMyAdmin BROWSE the administrators table, EMPTY it, now go back to your admin login, it will tell you there are no administrators and request you to enter one with password do this and then log in with your new user name and password


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Tracie,

 

In the past few months I have cleaned several websites where the hackers have changed the password validation file so no matter how many times you truncate your administrators table (as Julian suggested) and re-create your username and password, you will always receive the 'Invalid Administrator' error.

 

If you have a clean backup, I suggest uploading clean copies of these files into your admin:

 

/admin/administrators.php

/admin/index.php

/admin/login.php

/admin/includes/functions/password_funcs.php

/admin/includes/functions/validations.php

 

However, you will also need to identify and remove the anomalous files and malicious code from your website and then apply the security patches found in the security forum. Once that is done, install the security contributions.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Thank you so much for the quick reply.

 

I have gone to the website phpMyAdmin and I am not sure how I am to get my database there to make the changes. I add my website to the database and the following information came up which is all foreign to me. I am toally lost here.

 

 

Error

MySQL said:

 

#1045 - Access denied for user 'root'@'localhost' (using password: NO)

 

Connection for controluser as defined in your configuration failed.

phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.

Current Server: (Servers) ... MySQL (root) MariaDB (root) Drizzle (root)

 

Warning in ./libraries/dbi/mysqli.dbi.lib.php#111

mysqli_real_connect(): (28000/1045): Access denied for user 'pma'@'localhost' (using password: YES)

 

Backtrace

 

./libraries/dbi/mysqli.dbi.lib.php#111: mysqli_real_connect(

object,

string localhost,

string pma,

string heslo,

string ,

integer 0,

string /var/run/mysqld/mysqld.sock,

integer 0,

)

./libraries/common.inc.php#909: PMA_DBI_connect(

string pma,

string heslo,

boolean 1,

)

./server_databases.php#11: require_once(./libraries/common.inc.php)

 

Warning in ./libraries/dbi/mysqli.dbi.lib.php#111

mysqli_real_connect(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO)

 

Backtrace

 

./libraries/dbi/mysqli.dbi.lib.php#111: mysqli_real_connect(

object,

string localhost,

string root,

string ,

string ,

integer 0,

string /var/run/mysqld/mysqld.sock,

integer 0,

)

./libraries/common.inc.php#914: PMA_DBI_connect(

string root,

string ,

boolean ,

)

./server_databases.php#11: require_once(./libraries/common.inc.php)

 

Notice in ./libraries/header.inc.php#20

Undefined index: is_ajax_request

 

Backtrace

 

./libraries/common.lib.php#548: require_once(./libraries/header.inc.php)

./libraries/auth/config.auth.lib.php#117: PMA_mysqlDie(

string #1045 - Access denied for user 'root'@'localhost' (using password: NO),

string ,

boolean 1,

string ,

boolean ,

)

./libraries/dbi/mysqli.dbi.lib.php#130: PMA_auth_fails()

./libraries/common.inc.php#914: PMA_DBI_connect(

string root,

string ,

boolean ,

)

./server_databases.php#11: require_once(./libraries/common.inc.php)

 

Notice in ./libraries/footer.inc.php#91

Undefined index: is_ajax_request

 

Backtrace

 

./libraries/auth/config.auth.lib.php#134: require(./libraries/footer.inc.php)

./libraries/dbi/mysqli.dbi.lib.php#130: PMA_auth_fails()

./libraries/common.inc.php#914: PMA_DBI_connect(

string root,

string ,

boolean ,

)

./server_privileges.php#11: require_once(./libraries/common.inc.php)

 

Notice in ./libraries/footer.inc.php#201

Undefined index: is_ajax_request

 

Backtrace

 

./libraries/auth/config.auth.lib.php#134: require(./libraries/footer.inc.php)

./libraries/dbi/mysqli.dbi.lib.php#130: PMA_auth_fails()

./libraries/common.inc.php#914: PMA_DBI_connect(

string root,

string ,

boolean ,

)

./server_privileges.php#11: require_once(./libraries/common.inc.php)

 

Notice in ./libraries/footer.inc.php#209

Undefined index: is_ajax_request

 

Backtrace

 

./libraries/auth/config.auth.lib.php#134: require(./libraries/footer.inc.php)

./libraries/dbi/mysqli.dbi.lib.php#130: PMA_auth_fails()

./libraries/common.inc.php#914: PMA_DBI_connect(

string root,

string ,

boolean ,

)

./server_privileges.php#11: require_once(./libraries/common.inc.php)

Share this post


Link to post
Share on other sites

Tracie,

 

Using phpmyadmin, you can see all of the database tables. Select the administrators table and truncate it (empty it). DO NOT DELETE IT.

 

Then, go to your admin url again and it will tell there are NO administrators and you must create one. So, create an administrator account and try to log into your admin area again. HOPEFULLY, it will let you in. If not, you may have to do as I suggested above, replacing the key files associated with your administrator account.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Tracie,

 

Using phpmyadmin, you can see all of the database tables. Select the administrators table and truncate it (empty it). DO NOT DELETE IT.

 

Then, go to your admin url again and it will tell there are NO administrators and you must create one. So, create an administrator account and try to log into your admin area again. HOPEFULLY, it will let you in. If not, you may have to do as I suggested above, replacing the key files associated with your administrator account.

 

 

Chris

Share this post


Link to post
Share on other sites

Hi Chris,

 

I do not see the administration tables you are referring to. This is what I am getting. Am I in the wrong area ? Please advise and thank you so much for your time.

 

MySQL phpmyadmin

StructureSQLSearchTrackingQueryExportImportDesignerOperationsPrivilegesDrop Table Action Records 1 Type Collation Size Overhead

pma_bookmark 0 MyISAM utf8_bin 1.0 KiB -

pma_column_info 0 MyISAM utf8_bin 4.0 KiB -

pma_designer_coords 0 MyISAM utf8_bin 2.0 KiB -

pma_history 0 MyISAM utf8_bin 4.0 KiB -

pma_pdf_pages 0 MyISAM utf8_bin 1.0 KiB -

pma_relation 1 MyISAM utf8_bin 9.1 KiB -

pma_table_coords 0 MyISAM utf8_bin 2.0 KiB -

pma_table_info 0 MyISAM utf8_bin 2.0 KiB -

pma_tracking 0 MyISAM utf8_bin 2.0 KiB -

pma_userconfig 0 MyISAM utf8_bin 1.0 KiB -

10 table(s) Sum 1 MyISAM utf8_bin 28.1 KiB 0 B

 

Check All / Uncheck All With selected: Empty Drop Print view Check table Optimize table Repair table Analyze table Export

--------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Tracie,

 

It doesn't appear you are looking at the correct database. There should be 46+ tables in the osCommerce database.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris,

 

Thank you so much. I have figured it out. I did not have my own cpanel available so I was looking for oscommerce admin on the website provided. Dah.. Once I had my cpanel back I was able to change the password and I now have access to my account.

 

I did a manual check for hacked files using my site monitor but it is saying that there is no hacked files although some of my products have been partly removed. I also have the FWR Security Pro value as true and file exclusions "on".

 

Is there anything more that I can do once I have found all the files that have been hacked? I am not sure what to look for but I will go through the folders slowly and hopefully I catch them all.

 

Thank you so much for your help. As always it just shows how great oscommerce is with amazing staff helping others. I am truly greatful to all of you who work so hard for all of us.

Share this post


Link to post
Share on other sites

If you installed the must have security patchs then site monitor can check for the suspicious strings, you might want to install VTS as well.

 

Links to threads listing all the changes required are in my profile/about me pages.

 

I need to update VTS as I have just found a couple of new strings that need to be checked for, am on a public PC at the moment and don't have access to these strings.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Hello,

 

I have been away in hospital and just returned to find that my website does not exist. It was there earlier today as I deleted all my products because every time I tried to correct a hacked product it would disappear again.

 

Now it says I do not have a admin. I printed off the information you gave me about securing my site and found this message;

 

1146 - Table 'tracie_osc1.administrators' doesn't exist

 

select id from administrators limit 1

 

[TEP STOP]

 

Is there anything I can do at this point ?

 

I went into my phpmyadmin and the admin is not under tracie_osc1 (46)

 

There is however a folder in my database called

 

information_schema (17)

 

I have no idea what this is ??

 

 

Does anyone have any suggestions on what I can do at this point ?

 

Thank you kindly,

Tracie

Share this post


Link to post
Share on other sites

Tracie,

 

 

Is the OSC1 database still there and how many tables are in it ?

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

OK Tracie,

 

I think that you DROPPED the table instead of TRUNCATING it. One delete it the other empties it.

 

So, you need to create the table again.

 

DROP TABLE IF EXISTS administrators;

CREATE TABLE administrators (

id int NOT NULL auto_increment,

user_name varchar(255) binary NOT NULL,

user_password varchar(60) NOT NULL,

PRIMARY KEY (id)

);

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris,

 

I am in my phpmyadmin

 

At the bottom there is a area that says create new table on database tracie_osc1

 

It asks for a name : I entered " administrators "

 

It then takes me to the following area that has the following information;

 

Field - 2 blank boxes next to it

Type - 2 boxes that have INT in both

Length/Values - 2 Boxes that are blank

Default - 2 boxes that both say None and has a drop down list

Collation - 2 boxes that have a drop down list

Attributes - 2 Blank boxes that has a drop down list

Null - 2 boxes that can be ticked

Index - 2 boxes that are blank but has drop down list

Auto_Increment - 2 boxes that can be ticked

Comments - 2 boxes to include information

 

Then below that information it has the following;

 

Table comments, Storage Engine ( with drop down list ), Collation ( with drop down list )

 

Then it tells me to " save " or add a # field then " go "

Share this post


Link to post
Share on other sites

Tracie,

 

Use the SQL tab to enter the statement above. Don't use insert table.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Thanks Chris. That worked. I am able to sign in to my admin now.

 

I noticed that when I do a manual check for hacked files using my site monitor it is telling me that it can not open my configure file so I am assuming that was hacked as well.

 

Thank you so much for your help.

Tracie

Share this post


Link to post
Share on other sites
site monitor it is telling me that it can not open my configure file

 

Check the permissions first before assuming that.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Tracie,

 

Are you certain your site was cleaned? Check you admin login URL again. Check the admin/includes/configure.php file for the correct paths.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris,

 

I have checked my admin log on again and I keep getting this ; http://gogvo.com/404.html

 

No, I am not certain that all my files are clean as I can not get into them to check and the site monitor is not working when I was able to get into my admin.

 

I do not have a admin/includes/configure.php

The configure file is in public_html/includes/configure.php

 

 

My configure.php file is below. I have changed the password to XXXXX for this posting;

 

<?php

define('HTTP_SERVER', 'http://sunshynecraftsbeads.com');

define('HTTP_CATALOG_SERVER', 'http://sunshynecraftsbeads.com');

define('HTTPS_CATALOG_SERVER', 'https://sunshynecraftsbeads.com');

define('ENABLE_SSL_CATALOG', false);

define('DIR_FS_DOCUMENT_ROOT', '/home/tracie/public_html/');

define('DIR_WS_ADMIN', '/cassidy/');

define('DIR_FS_ADMIN', '/home/tracie/public_html/cassidy/');

define('DIR_WS_CATALOG', '/');

define('DIR_FS_CATALOG', '/home/tracie/public_html/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

define('DB_SERVER', 'localhost');

define('DB_SERVER_USERNAME', 'tracie_osc1');

define('DB_SERVER_PASSWORD', 'XXXXXX[XXXXX');

define('DB_DATABASE', 'tracie_osc1');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

?>

 

Thank you again,

Tracie

Share this post


Link to post
Share on other sites

Hi Chris,

 

No, I am not certain that my files are clean. I can not get into them to check and I don't know exactly what I am looking for.

 

I tried to sign in to my admin again with no luck.

 

I do not have a admin/includes configure.php

 

It is in the public_html/includes/configure.php

 

 

Here is what it is telling me. I have changed the password for the posting here to XXXXX XXXXX.

 

<?php

define('HTTP_SERVER', 'http://sunshynecraftsbeads.com');

define('HTTPS_SERVER', 'https://sunshynecraftsbeads.com');

define('ENABLE_SSL', false);

define('HTTP_COOKIE_DOMAIN', 'sunshynecraftsbeads.com');

define('HTTPS_COOKIE_DOMAIN', 'sunshynecraftsbeads.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/tracie/public_html/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

define('DB_SERVER', 'localhost');

define('DB_SERVER_USERNAME', 'tracie_osc1');

define('DB_SERVER_PASSWORD', 'XXXXXX[XXXXX');

define('DB_DATABASE', 'tracie_osc1');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

?>

 

Does this help ? I am so lost now.

Tracie

Share this post


Link to post
Share on other sites

Tracie,

 

You MUST have an youradmindirectory/includes/configure.php for your admin area to function.

 

 

The configure.php file you provided looks normal enough, but your admin has been corrupted or compromised. You need to look at your files from your hosting providers file manager or your FTP to determine what the condition is.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Thanks Chris.

 

I talked to someone from my host provider and they just told me to re install oscommerce so I am not getting any help there. I think I may have to do it because every time I try to upload a php from my person folders on my computer I get C:\fakepath\files.def: 1.21 KB Complete

 

Thank you for your help and patience. It was greatly appreciated.

 

Tracie

Share this post


Link to post
Share on other sites

×