Feels like my website is being hacked...

[Laurentius]

Hi there,

Since some days, our catalog seems to be very slow and looks it has been hacked.

Below all catalog pages we can see a new banner stating "We are sorry - We are having updates - Please get back shortly".

 

I've not yet find the infected page, but can someone help in my quest?

 

The admin part seems clean till now...

 

Thanks for all your help

 

Laurent

 

OSCommerce 2.2

MacOS Lion

[web-project]

check the code for infection, does your antivirus shows that you have a virus on your website?

[♥geoffreywalton]

You can install osc VTS and site monitor to try and track down infected files.

 

THere are some tips and good links in my profile which should be of use.

 

HTH

 

G

[Rubin Remus]

Similar problem for one of my clients websites.

 

I think the backend and database of the site is untouched. I've previously implemented some pretty tight security there.

 

That said, and I could be wrong here, it appears the issue is coming from /includes/general.js.

 

Take a look at the bottom of that file and see if there's a load of junk there. I'll be deleting it soon, but I'm just making a full site backup first.

 

I also looked at the source code, and above the header page there is a comment which reads: <!-- 2lpw1 -->

 

I'll be doing a sitewide search for that once I've got the full backup done.

 

Let me know how you get on, and I'll do likewise. I've only noticed this issue today, and my customer hasn't even mentioned it to me yet, so I would think it's only about 48 hours old.

 

Google had enough time to cache it though, in the wee hours of this morning...

[♥geoffreywalton]

You could check the date time of the files to see if any others were created at the same time.

 

HTH

 

G

[Rubin Remus]

Okay. I was totally wrong about the Javascript code. Removing it did nothing...

 

HOWEVER, I have found the file and the include causing the problem.

 

Take a look at index.php and look for this:

 

 require('includes/application_top.php');
 @include("./stats.php");

 

It's the stats.php line causing this. Remove that, and then remove the file.

 

It appears to be linking to www.netanalytic.com - and if you visit it, you see exactly what's appearing on your website.

 

It's been ages since I built this site, so it's possible that www.netanalytic.com was something I used and included previously (but I doubt it)...

[Rubin Remus]

You could check the date time of the files to see if any others were created at the same time. HTH G

 

I did that previously. There was nothing that stood out. No files edited since I last did a little work on it a few months back.

 

This made me think that it must be something previously included.

 

The answer is above. Thanks for your input though!

[Laurentius]

Thank you very much for the information.

I also secured the back office and I also could not any files edited since september 2011.

 

But strangely the day after I discovered the 'banner', this banner has disappeared without any changes in my website files...

It seems they're playing with my files and I don' like that.

 

I will certainly edit and delete the files as suggested by Rubin Remus. Thanks indeed for all your advices.

[Taipo]

Have you patched the admin login bypass exploit, and/or have you put htpasswd basic authentication in your admin directory?

 

If not it would pay to do at least one of those two security fixes.

 

Also take a look at osC_Sec addon (link is in my signature) which has in it the security patch.

 

The reason I ask is because now that you have discovered that unauthorized editing of your site is taking place, you need to stop that from happening. Earlier versions of Oscommerce have a well known security issue with the admin login.

[Borderbob]

I used osc sec to secure my site and fix my admin login but I have a question, it says to replace the following in includes/application_top

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

with this

 

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

 

 

however i noticed there is this bit of code right below it in the same section

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

do i remove that or leave it in??

 

Also in application_top under the admin/includes folder it has this

 

// set php_self in the local scope

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

 

instead of this like it says in the instructions

 

 

// set php_self in the local scope

 

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

do i still replace that with the following code?

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

 

Also i have had tons of problems of people hacking it and adding files to my images folder and what not, i followed the osc sec, is there anything else I can do. I was confused however when it said to rename my admin directory, do I just change the name of the folder and update all the links in the php files to reference the new name, also how do you add htpasswd basic authentication, i have no clue what that is or how to add it, i am fairly new to website creation haha. Thanks for everyones help

[Taipo]

however i noticed there is this bit of code right below it in the same section

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

do i remove that or leave it in??

 

Leave that bit in, just replace

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

with the one in the readme.htm

 

If you have cleaned out your directories of hack files especially any .php files added to the images directory, and checked to make sure that there is no appended code added into the main site files, then following the instructions in osC_Sec is in fact patching the security hole in osCommerce that is allowing attackers to add, edit and delete files in your website.

 

For the other two issues of renaming the admin directory and adding htaccess authentication, there are a number of discussion threads already covering those security methods. They are good ideas to do in addition to patching the security hole which you have already done, and cleaning out your website which hopefully you have already done.