Files injected into images directory

[elgaxton]

Good Day everyone,

 

I have been reading your comments and I just need to know one thing.

 

What code am I supposed to use to stop spammers from injecting files into my images folder and anytime

I want to update the store, the hackers starts to injects his files into my images folder.

 

So how does the spammer know that I am online. Its really annoying because

I'm not yet through with updating the contents of the store.

I hav done the 5 security must have for oscommerce but the sitemonitor seems not to be working properly.

 

Someone please help.

 

Thanks

[Taipo]

Try this addon http://addons.oscommerce.com/info/7834

 

Within it is the patch for the security hole that is allowing attackers to exploit a security hole in your sites code (assuming you are using 2.2 RC1/RC2).

 

The spamming just goes on all the time, its mostly automated eldaxton. Attack servers troll through search engines for vulnerable sites and once found, a volley of attacks are levelled with the hopes that one of them will be successful. On an unpatched osCommerce 2.2 RC1/RC2 site, these attacks will be mostly successful at least at seeding your site with shell code ready for the next phase of attacks which include the iFrame attack.

 

Also it is a good idea to install htpasswd user authentication on your admin directory as well, in fact that is the best security for protecting admin directories whether you have renamed them or not.

 

After that its a lot of cleaning out of your code to make sure that no files have had code added to them via the files that are being uploaded into your images directory.

[web-project]

The admin bypass exploit would not be caught in the above htaccess code, and that is the basis of 99% of oscommerce problems.

I agree that some luck of security issue in oscommerce code, but the SQL injection via URL can be stop using very secure server and .htaccess code which I have provided above.

if you add addition security in the image folder, you can get very secure oscommerce shop.

[Taipo]

It will certainly prevent most URL injection attempts, unfortunately the main player in hacking osCommerce websites older than 2.3.1 is a simple appending of the login.php file to any admin files. For example, www.somesite.com/admin/administrators.php/login.php on an unprotected admin directory will result in giving the attacker full access to the admin directory, in this particular case the list of administrators and the ability to add, edit and delete administrators by the use of an external form.

 

From there the attacker is able to upload files at the very least into the images directory, or manipulate any files they please if the user still has filemanager.php install, or place obsfuscated attack code into the language files via the language files editor. They could also steal credit card details if they are stored on the site, take customer details, emails, sales, spam your customer database......all without making one solitary single sql injection.

 

Thats the exploit I am referring to, and its the most common exploit that is used by this distributed attack system against the likes of osCommerce, to seed the sites with shell code into writable files and writable directories and from there they are then used as phase two in the attack - since the shell code will give the attacker as much access to your site and server as would any filemanager.

 

htaccess is one way of locking up an admin directory and if your site has not yet been hacked then that is the best way to go. But too many users who have been hacked, then did what they thought was a thorough cleanup, added htaccess, changed the name of their admin directory, and bam, hacked again, because they missed either one of the attack files or a small piece of code that was left in the site files as a backdoor to either allow an attacker to 'read' the site contents, therefore find the new name of the admin directory, and/or allow them to upload more files and start the attack all over again.

 

This attack vector has been going on with osCommerce sites for years and everything else under the sun is often and has been blamed for the sites being hacked except the real reason and that is a reluctance of users to upgrade to the latest stable version. One wonders why anyone would put site layout before site security when your entire business will go up in flames if site visitors perceive your site to be insecure becaue it is being so regularly hacked.

 

Part of the blame there lays with the developers who have not provided an easy method to transition from the older versions to the new. Users of other systems have become accustomed to database importers and other automated updater files that allow for an easier transition from the older versions to the new. Because of that norm, it has allowed for a whole other range of site admin who do not possess the level of coding skill to manually update a site from one version to another.

 

The rest of the blame lays with people who if it were a physical store that was being robbed, would shell out some cash to get a security system installed by a contractor that would protect their store, their store contents and the perception to their customers that they are a secure retailer.

 

I myself do not offer a security cleanup service but my advice to people is that if you do not know how to properly secure your sites then ask someone in the forums to do it for you. These forums are teeming with eager security specialists who do this sort of thing for a living.

 

So to those security specialists who fit that category, heres a little tidbit of advice. You really need to know what the root cause of the attacks are since youa re providing that as a service, and its more than just the injection issues into the database, while injection protection should be the industry standard for any web portal, and the htaccess file that web-project has provided is up there with the best, that alone will not prevent what is a 2 to 3 tierred attack that is being levelled at these sites.

 

Stop it at the first phase and there is no second phase (database injections) or third phase (redirect iFrames). The first phase is the admin bypass expoit, the appending of the login.php to admin files. It is an issue with the way the earlier site codes wrongly determine the $PHP_SELF code in the application_top.php files. The best security is not to hide faulty code from attackers but to fix the faulty code.

 

The two pieces of code in question that have been the root cause of almost all of the grief for osCommerce users are:

 

Administration Tool Log-In Update

 

and

 

Update PHP_SELF Value

 

Left unpatched, these two accumulate to be what I refer to as the Admin Bypass Exploit.

 

Although there are other less known means of hacking early versions of osCommerce, this one makes up the bulk of the attacks and is the first phase of the larger attack system.

 

Patch those two pieces of code and the rest is history.

[jmose]

Elgaxton,

 

If you are still having this problem, I bet it is because your 'configuration' table has been infected. This is causing your site to look like it is constantly being hacked, when really, you are creating these image files yourself. The webpages are dynamically built from the 'configuration' table (among others) as needed.

 

To find out if this is the case, look at posts #19 & #21 in this thread.

 

HTH,

Jim