Jump to content

Archived

This topic is now archived and is closed to further replies.

Laurentius

Feels like my website is being hacked...

Recommended Posts

Hi there,

Since some days, our catalog seems to be very slow and looks it has been hacked.

Below all catalog pages we can see a new banner stating "We are sorry - We are having updates - Please get back shortly".

 

I've not yet find the infected page, but can someone help in my quest?

 

The admin part seems clean till now...

 

Thanks for all your help

 

Laurent

 

OSCommerce 2.2

MacOS Lion

Share this post


Link to post
Share on other sites

check the code for infection, does your antivirus shows that you have a virus on your website?


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites

You can install osc VTS and site monitor to try and track down infected files.

 

THere are some tips and good links in my profile which should be of use.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Similar problem for one of my clients websites.

 

I think the backend and database of the site is untouched. I've previously implemented some pretty tight security there.

 

That said, and I could be wrong here, it appears the issue is coming from /includes/general.js.

 

Take a look at the bottom of that file and see if there's a load of junk there. I'll be deleting it soon, but I'm just making a full site backup first.

 

I also looked at the source code, and above the header page there is a comment which reads: <!-- 2lpw1 -->

 

I'll be doing a sitewide search for that once I've got the full backup done.

 

Let me know how you get on, and I'll do likewise. I've only noticed this issue today, and my customer hasn't even mentioned it to me yet, so I would think it's only about 48 hours old.

 

Google had enough time to cache it though, in the wee hours of this morning...

Share this post


Link to post
Share on other sites

You could check the date time of the files to see if any others were created at the same time.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Okay. I was totally wrong about the Javascript code. Removing it did nothing...

 

HOWEVER, I have found the file and the include causing the problem.

 

Take a look at index.php and look for this:

 

 require('includes/application_top.php');
 @include("./stats.php");

 

It's the stats.php line causing this. Remove that, and then remove the file.

 

It appears to be linking to www.netanalytic.com - and if you visit it, you see exactly what's appearing on your website.

 

It's been ages since I built this site, so it's possible that www.netanalytic.com was something I used and included previously (but I doubt it)...

Share this post


Link to post
Share on other sites
You could check the date time of the files to see if any others were created at the same time. HTH G

 

I did that previously. There was nothing that stood out. No files edited since I last did a little work on it a few months back.

 

This made me think that it must be something previously included.

 

The answer is above. Thanks for your input though!

Share this post


Link to post
Share on other sites

Thank you very much for the information.

I also secured the back office and I also could not any files edited since september 2011.

 

But strangely the day after I discovered the 'banner', this banner has disappeared without any changes in my website files...

It seems they're playing with my files and I don' like that.

 

I will certainly edit and delete the files as suggested by Rubin Remus. Thanks indeed for all your advices.

Share this post


Link to post
Share on other sites

Have you patched the admin login bypass exploit, and/or have you put htpasswd basic authentication in your admin directory?

 

If not it would pay to do at least one of those two security fixes.

 

Also take a look at osC_Sec addon (link is in my signature) which has in it the security patch.

 

The reason I ask is because now that you have discovered that unauthorized editing of your site is taking place, you need to stop that from happening. Earlier versions of Oscommerce have a well known security issue with the admin login.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I used osc sec to secure my site and fix my admin login but I have a question, it says to replace the following in includes/application_top

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

with this

 

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

 

 

however i noticed there is this bit of code right below it in the same section

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

do i remove that or leave it in??

 

Also in application_top under the admin/includes folder it has this

 

// set php_self in the local scope

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

 

instead of this like it says in the instructions

 

 

// set php_self in the local scope

 

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

do i still replace that with the following code?

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

 

Also i have had tons of problems of people hacking it and adding files to my images folder and what not, i followed the osc sec, is there anything else I can do. I was confused however when it said to rename my admin directory, do I just change the name of the folder and update all the links in the php files to reference the new name, also how do you add htpasswd basic authentication, i have no clue what that is or how to add it, i am fairly new to website creation haha. Thanks for everyones help

Share this post


Link to post
Share on other sites

however i noticed there is this bit of code right below it in the same section

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

do i remove that or leave it in??

 

Leave that bit in, just replace

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

with the one in the readme.htm

 

If you have cleaned out your directories of hack files especially any .php files added to the images directory, and checked to make sure that there is no appended code added into the main site files, then following the instructions in osC_Sec is in fact patching the security hole in osCommerce that is allowing attackers to add, edit and delete files in your website.

 

For the other two issues of renaming the admin directory and adding htaccess authentication, there are a number of discussion threads already covering those security methods. They are good ideas to do in addition to patching the security hole which you have already done, and cleaning out your website which hopefully you have already done.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×