Jump to content

Archived

This topic is now archived and is closed to further replies.

RMD27

Script repeatedly inserted in ALL index.php files

Recommended Posts

Hi

 

I have a major issue with a site hack.

 

A code keeps getting inserted into all the index.php files on the site front and admin sides.

 

It seems to take around 12 hours for the code to be reinserted after it has been deleted.

 

I am out of my depth on this. Any help appreciated.

 

I have my host working on it and they say the code was inserted back in 2008 but the shop was only installed in 2010.

 

They looked through the last 48hours of log files and couldn't identify how it is happening.

 

I have confidence in them but if anyone wants to chime is with their opinion/information/things I can do to help, it would be appreciated.

 

I have done all the things listed in this forum to secure an OSC site but I was ignorant during the first few months the shop was installed.

 

I am sure this post exposes how little I know about these things but if anyone has experience/knowledge of this type of issue your help would be appreciated

 

I can post the script if that is helpful?

Share this post


Link to post
Share on other sites

In the security thread the best recommendation to clean a hacked site is to remove all the files from the server and reinstall a known good clean copy of your site rather than try to clean the code from the current copy.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

Thanks for the reply. At the moment that looks like the solution, issue is because at the moment we/they cannot identify the issue we do not know how far to go back because we do not know when the hack was done.

 

What are is the likely hood that this was done months ago and is only now making itself known.

 

Or is it much more likely that the issue was obvious immediately after the attack?

 

Personally I do not understand how the hack could have been done last week. Most of the security recommendations had been implemented including

 

Security Pro

IP Trap

Admin Password Protected and renamed

Various Tweeks

 

and i just found this amongst other things in images/Thumbs.db - is this bad?

 

Root Entry@1Catalog

Share this post


Link to post
Share on other sites

also I have a folder images/thumbnails which has timthumb .txt files being created inside it. i changed permission on the folder to 644. short of deleting it is that the best set up?

Share this post


Link to post
Share on other sites

I also have

XSS/ BAD BEHAVIOR BLOCK installed from ages ago, and this is what the report says (ip's shortened)

 

 

/phpMyAdmin/scripts/setup.php<br />02-02-12 / 21:48:24 - 61.21

/phpMyAdmin/scripts/setup.php<br />04-02-12 / 15:37:22 - 2007 -

//%0D/scripts/setup.php<br />05-02-12 / 16:23:38 - 88.191

/bad_conduct/<br />06-02-12 / 21:25:11 - 203.1

/phpMyAdmin/scripts/setup.php<br />07-02-12 / 05:30:41 - 210.5-

 

is that helpful?

Share this post


Link to post
Share on other sites

What are is the likely hood that this was done months ago and is only now making itself known. Or is it much more likely that the issue was obvious immediately after the attack?

 

The security hole in V2.2 RC2 allows attackers to access your admin directory, therefore at the very least the attack will allow for files to be uploaded into writable directories such as the images directory. So if for example you have added htaccess basic authentication protection to the admin directory, that will have prevented further file uploads, but it will not stop attackers from accessing files that are still currently on your server, for example php files in the images directory, and also code that could be inserted into other site files which allow attackers to then upload more files.

 

The files they typically upload are often called shell code, or in plain speak, filemanagers. These file manager files are just that, rogue files that act as your typical file manager which give attackers a lot of control over your site files. You have to clean your site out of these files and code additions before sending it live again.

 

Personally I do not understand how the hack could have been done last week. Most of the security recommendations had been implemented including

 

This is what I am talking about above. The initial attack or attacks would have allowed the attack to upload basically what are file managers which then allow more control over your site than what is allowed via the admin features. These rogue file managers can then be used to further install more rogue code throughout normal site files such as the catalog/cookie_usage.php and catalog/includes/languages/english/cookie_usage.php and more.

 

The attack is stacked in this manner so that when the site owner tweaks to the fact that their site is being hacked and protects the admin directory, the attack is still able to continue via 'backdoor code' => rogue file managers and appended code to normal site files which allow attackers to continue in uploading more files and editing files that are writable on your site.

 

Rid your site of these files and code additions to your site files and the 'attacks' will cease.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

thank you for the information. do you have any suggestion for finding hacked pages. I am trying to use SiteMonitor but I think it has an issue working with XSS (bottom of this page) http://forums.oscommerce.com/topic/221438-sitemonitor/page__st__2000.

 

Are there alternatives?

 

I need to find the backdoor otherwise no matter what I do my efforts will be circumvented, got it, so I really need to find out the core issue, Im thinking timthumb could be an issue, what do you think?

 

If I make the thumbnails directory containg the timthumb.txt files 644 will that disable the backdoor? If timthumb is the issue?

Share this post


Link to post
Share on other sites

my host has come back to me and said it looks like the hacker is changing the dates on the files which is making them hard to find.

 

also he said he is having to go through the log files manually to identify the issue.

 

i have no idea if this is the best way to go about it. the problem we seem to have is that we dont know how far back we need to go to get a clean back up.

 

this is an absolute nightmare.

Share this post


Link to post
Share on other sites

The security hole in V2.2 RC2 allows attackers to access your admin directory, therefore at the very least the attack will allow for files to be uploaded into writable directories such as the images directory. So if for example you have added htaccess basic authentication protection to the admin directory, that will have prevented further file uploads, but it will not stop attackers from accessing files that are still currently on your server, for example php files in the images directory, and also code that could be inserted into other site files which allow attackers to then upload more files.

 

The files they typically upload are often called shell code, or in plain speak, filemanagers. These file manager files are just that, rogue files that act as your typical file manager which give attackers a lot of control over your site files. You have to clean your site out of these files and code additions before sending it live again.

 

 

 

This is what I am talking about above. The initial attack or attacks would have allowed the attack to upload basically what are file managers which then allow more control over your site than what is allowed via the admin features. These rogue file managers can then be used to further install more rogue code throughout normal site files such as the catalog/cookie_usage.php and catalog/includes/languages/english/cookie_usage.php and more.

 

The attack is stacked in this manner so that when the site owner tweaks to the fact that their site is being hacked and protects the admin directory, the attack is still able to continue via 'backdoor code' => rogue file managers and appended code to normal site files which allow attackers to continue in uploading more files and editing files that are writable on your site.

 

Rid your site of these files and code additions to your site files and the 'attacks' will cease.

 

these rogue file managers are in a new file? ie something seperate from oscommerce standard files? or will they be part of a file that already exists as part of the osc install?

Share this post


Link to post
Share on other sites

thank you for the information. do you have any suggestion for finding hacked pages. I am trying to use SiteMonitor but I think it has an issue working with XSS (bottom of this page) http://forums.oscommerce.com/topic/221438-sitemonitor/page__st__2000.

 

Are there alternatives?

 

Often the content of these rogue files have been marked by antivirus companies as malware so if you have a complete snapshot of your site you can let your local antivirus scan through and see what it finds. There is an addon as well that is a virus checker of sorts or though I have never used it.

 

If you have a backup copy of your site then that is the best place to start, or else you have two other options, one is to grind through every .php, .txt, .js and html file and look for added code or shell code, or in the instance where there is large scale file infection, start again sorry.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

these rogue file managers are in a new file? ie something seperate from oscommerce standard files? or will they be part of a file that already exists as part of the osc install?

 

The file manager type files are stand alone files that have been added to writable directories. They can have file extensions such as .txt, .html, .php etc.

 

If your site is using timthumb then I have to ask for a full description of the structure of your site. For example are you just using osCommerce or is it a mix of say osCommerce and Wordpress.

 

Timthumb has had a known security hole in it that allowed attackers to upload their own files and even upload files as images which contained executable code.

 

If you are using an addon in osCommerce that has timthumb then you need to see if the addon author has updated it to the latest version of timthumb which fixes most of those issues.

 

If you are using another content management system such as Wordpress alongside osCommerce, then you will need to go back to the Wordpress plugins feature and update to the latest timthumb plugin.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

The add-on Virus Threat system will search for know hack strings as will Site Monitor, but not for so many.

 

http://addons.oscommerce.com/info/7279

 

There are also some tips on what to look for in my profile.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

thanks for the feedback

 

i installed tims threat scanner so im going through the results of that,

 

in admin/includes/confugre cache i have this, is the base64 okay?

 

 

$config_cache_output = base64_encode($config_cache_output);

 

$new_config_cache_output = '';

while (strlen($config_cache_output) > 0) {

$new_config_cache_output .= substr($config_cache_output, 0, 80) . "\n";

$config_cache_output = substr($config_cache_output, 80);

}

$config_cache_output = "<?php eval(gzinflate(base64_decode('\n$new_config_cache_output'))); ?>";

Share this post


Link to post
Share on other sites

The file manager type files are stand alone files that have been added to writable directories. They can have file extensions such as .txt, .html, .php etc.

 

If your site is using timthumb then I have to ask for a full description of the structure of your site. For example are you just using osCommerce or is it a mix of say osCommerce and Wordpress.

 

Timthumb has had a known security hole in it that allowed attackers to upload their own files and even upload files as images which contained executable code.

 

If you are using an addon in osCommerce that has timthumb then you need to see if the addon author has updated it to the latest version of timthumb which fixes most of those issues.

 

If you are using another content management system such as Wordpress alongside osCommerce, then you will need to go back to the Wordpress plugins feature and update to the latest timthumb plugin.

 

your right on the money here. i have wordpress installed in another directory, osc is in the root. both are using timthumb.

 

the more I see, the more I think its this

Share this post


Link to post
Share on other sites

The add-on Virus Threat system will search for know hack strings as will Site Monitor, but not for so many.

 

http://addons.oscommerce.com/info/7279

 

There are also some tips on what to look for in my profile.

 

HTH

 

G

 

im like a headless chicken at the moment. im doing this threat scanner first cause its easy to install then ill move onto yours!

Share this post


Link to post
Share on other sites

ive got this at the top of mail/mailist/admin.edit.php

 

<?php if(!isset($_SESSION['admin'])){echo 'Hacking attempted'; return ;} ?>

 

is that line okay?

 

the more i look at this whole issue, the more clueless i realise I am

Share this post


Link to post
Share on other sites

ive got this at the top of mail/mailist/admin.edit.php

 

<?php if(!isset($_SESSION['admin'])){echo 'Hacking attempted'; return ;} ?>

 

is that line okay?

 

the more i look at this whole issue, the more clueless i realise I am

 

same thing at the top of sendmail.php

Share this post


Link to post
Share on other sites

this is what google has to say

 

 

What happened when Google visited this site?

Of the 17 pages we tested on the site over the past 90 days, 11 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-06.

Malicious software includes 17 exploit(s), 11 trojan(s), 6 scripting exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

Malicious software is hosted on 2 domain(s), including
,
.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including
.

This site was hosted on 1 network(s) including
.

Share this post


Link to post
Share on other sites

is this anything to worry about? in product_thumb

 

base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

Share this post


Link to post
Share on other sites

is this anything to worry about? in product_thumb

 

base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

 

This is the type of thing that can be uploaded via what I explained earlier. First port of call for you is to patch all that faulty code or else this stuff will be back as soon as you get rid of it. I assume you have taken your site offline. You basically have two conceptual security issues, one with the osCommerce code which you have sorted by blocking access to the admin directory, two, patch the Wordpress plugins or remove the plugins if there are no upgrades for them.

 

Then you need to troll through all your files and look for those types of additions that you posted above. Once you become familiar with them then you will find them easier to spot. There are people who are regulars in these forums who also do cleanups for a fee if you feel you are out of your depths on that issue.

 

The main thing is not to send the site live without patching that insecure code and certainly not sending your site live again with that sort of backdoor code embedded in files.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

In saying that, some files do contain base64_decode lines like that, but the flaw in timthumbs which is more a wordpress issue than osCommerce, allowed attackers to embed malware code in image exif data, especially for example in jpgs, gifs and png files. That is not to say that every reference to base64_ in those files is malicious.

 

But that is the affects of the security issues that were discovered in timthumbs.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×