Jump to content

Archived

This topic is now archived and is closed to further replies.

fozzo

Site been hacked from time to time

Recommended Posts

Hello guys,

i really hope someone will be able to help me out.

One of my sites has been recently hacked.

This thing happens sometimes, i don't understand how.

Some files were modified and and they make as payment option only credit card (wich actually is not an offered method).

[modified files: checkout_confirmation - checkout_payment - login - products_info - account - create_account]

Anyway about 6 files were modified.

I don't understand how they can still get rid of my files and modify them.

I already followed all security fix:

 

Security Pro -> installed

SiteMonitor -> installed (it was the one who told me site was hacked because of changed files)

IP trap -> installed

htaccess protectio -> installed

Cross Site Scripting attacks with Anti XSS -> installed

except for the two configure.php files have permissions no higher than 644. -> done

image folder permission -> 555

[i don't understand how it possibile but i found a file without extension called rr in the folder]

admin folder -> renamed

admin secured with admin level account

 

I'm actually running a 2.2rc version heavly modified.

I'm not a noob.

All security patches were installed on fresh oscommerce and kept updated from about one year.

 

Any clue would be very apreciated.

Share this post


Link to post
Share on other sites

This would tend to indicate that either a hacker's file is on your server somewhere or some rogue code is embedded in one of your php scripts or there is a link in your data. Shop name, manufacturers name or a product description are the prime candidates.

 

Or they have ftp access

 

Have you checked your logs for the ime the files changed?

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Have you checked your admin loggins? If you have htpassword loggins any admin loggin will be shown in your cpanel stats as authenticated users with ip address

 

Have you checked ftp access logs?

 

Have you checked you email has not been hacked?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks for your fast answer guys.

Let me answer you both.

 

This would tend to indicate that either a hacker's file is on your server somewhere or some rogue code is embedded in one of your php scripts or there is a link in your data. Shop name, manufacturers name or a product description are the prime candidates.

 

Or they have ftp access

 

Have you checked your logs for the ime the files changed?

 

HTH

 

G

 

I have downloaded the entire site and i checked all files (as i far i'm sure i did).

Nothing suspicious or maliciuos found.

 

What do you mean with "or there is a link in your data" ??

 

Logs checked file were chaged in the afternoom, around 3 pm.

 

 

 

Have you checked your admin loggins? If you have htpassword loggins any admin loggin will be shown in your cpanel stats as authenticated users with ip address

 

Have you checked ftp access logs?

 

Have you checked you email has not been hacked?

 

 

My email has not been hacked, i'm gonna check ftp logs and write you back. Admin folder is not protected with htpassword so i can't check those logs, anyway administrator table has not been touch.

Share this post


Link to post
Share on other sites

Do you access email etc with a smart phone? There are methods to get your passwords etc through those.

 

How are you sure your email is safe? A clever hacker won't change things, just read your emails.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
only with iphone or ipad

 

That's the type of device I meant when I said 'smart phone'


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

i just checked ftp log, on 19th (day that was hacked) i only have had access, no one else.

Share this post


Link to post
Share on other sites

It appears not, the method I heard about I detailed here http://forums.oscommerce.com/topic/386022-business-idea-tell-me-what-you-think/page__view__findpost__p__1632825

 

but that was just one, I understand there are others in use too.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

ok i see what you mean sam, thanks for pointing this.

Anyway i still don't know what to do.

Further more it seems someone is sending spam from another sites of mine still on the same virtual server, i cought it from brute force logs and from exim logs.

Double checked all files in that cpanel account but no one was modified.

It's like a cul de sac

Share this post


Link to post
Share on other sites

if it is an osc site check the logs nd see if tell a friend is being used.

 

You can make it logged in accounts only can send them by changing settings in shop admin

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Have you raised this with your host, they will have more detailed logs that may point to who/how files were modified


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

If someone is actually getting on to your site, perhaps they have one or more of your passwords. Scan for spyware on all PCs used to administer the site, and even if nothing is found, change all your passwords: site hosting access, database, FTP, admin passwords, etc. Talk with your host about whether they support SFTP (SSL-encrypted FTP), which, unlike regular FTP, doesn't send its passwords in the clear. Check your directory and file permissions -- nothing should be 666 or 777. If PHP requires a directory to be 777 in order for osC to upload a file, change it back to 755 as soon as you're done uploading. If your site is 2.2, have you applied all the necessary security updates?

Share this post


Link to post
Share on other sites

I already followed all security fix:

 

Security Pro -> installed

SiteMonitor -> installed (it was the one who told me site was hacked because of changed files)

IP trap -> installed

htaccess protectio -> installed

Cross Site Scripting attacks with Anti XSS -> installed

except for the two configure.php files have permissions no higher than 644. -> done

image folder permission -> 555

[i don't understand how it possibile but i found a file without extension called rr in the folder]

admin folder -> renamed

admin secured with admin level account

 

Unless you have htaccess basic authentication on your admin directory then your site will have been vulnerable to the admin login bypass attacks. The reason is that none of those addons above directly address the actual security vulnerablity in the 2.2 range of code.

 

If you have added the htaccess to your admin then you need to be looking through other files like the cookie_usage.php and includes/languages/english/cookie_usage.php files for additional code which was probably inserted prior to you securing the admin.

 

For an example of the type of code insertions I am referring to, see this link.

http://forums.oscommerce.com/topic/372970-malware-cookie-usagephp-explained/

 

The actual code fixes for the admin login bypass issue is below:

http://forums.oscommerce.com/topic/380144-fixing-the-admin-login-bypass-exploit/

 

Also check out osC_Sec

http://addons.oscommerce.com/info/8283


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

@@Taipo: As i said i installed admin level account wich already took care of this part:

 

//EOF Admin Level
/*
// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($PHP_SELF);

   if ($current_page != FILENAME_LOGIN_ADMIN) {
  if (!tep_session_is_registered('redirect_origin')) {
    tep_session_register('redirect_origin');

    $redirect_origin = array('page' => $current_page,
							 'get' => $HTTP_GET_VARS);
  }

  $redirect = true;
   }

   if ($redirect == true) {
  tep_redirect(tep_href_link(FILENAME_LOGIN_ADMIN));
   }

   unset($redirect);
 }
*/
//EOF Admin Level

 

Anyway i changed as suggested the second part in application top, both of them.

I'm gonna install osC_sec right now.

Thanks for help. Let's see if anything will happen again

 

 

@@spooks: I'm already in touch with them but since my vps is not "managed" I have not a great assistence, so they are not going to help me much, anyway i think i can access all the logs, so if you need me to see anyone pls just tell me.

 

@@geoffreywalton: tell a friend file is not used on my site, i removed it at the beginning.

 

@@MrPhil: thanks for your answer. I already use SFTP. Changing all password is my next step but, as sam said, if they have a backdoor changing password right now is not that usefull, i need to understand b4 where the malicious is (if any exist)

Share this post


Link to post
Share on other sites

×