Jump to content

Archived

This topic is now archived and is closed to further replies.

Froglet

Client E-Mail Attack

Recommended Posts

I have just been e-mailed by a client saying that they have received the following from our shop e-mail as follows: -

 

"Your deposit temporarily blocked #5633 (Name).‏

01:32

From: Our Shop (Our Shop E:Mail)

Sent: date 2011 time

To: client

Your deposit being temporarily blocked until the verification is complete.This is for security reasons, to help protect against card fraud, but can be inconvenient.All credits cards used must be in the casino account holders name, and not be lined in any way to a business. More detailed information is available by reviewing the URLs listed in http://inforeseau.net/details/ .

Signed off using Our Shop Name"

Attachments, pictures and links in this message have been blocked for your safety.

 

We assume this is MaleWare and would like advise on how to stop this happening again?

 

Best Regards

Sam

Share this post


Link to post
Share on other sites

Sam,

 

 

You are correct in assuming your site has been hacked. There is a thread about the details of this particular exploit in another thread on this forum. However the basic idea still remains, you must clean and secure your website. Follow these steps to complete that process:

 

Your website has been hacked !

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Dear Chris,

 

Thanks for the advise and will try going through the steps.

 

When looking for keywords such as 'base64' should there be any osCommerce files with this keyword?

 

Such as 'function add_attachment($file, $name = '', $c_type='application/octet-stream', $encoding = 'base64') {'

 

Only reason I asked is that a clean backup from two years ago also contains these keywords however have never had problems until recently?

 

Regards

Sam

Share this post


Link to post
Share on other sites

Sam,

 

Yes, there are some instances of those keywords, check every instance for anomalous code.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

×