Egy-spider hacking attempt

[lucsangel]

Hello,

 

in spite of all security measures on osc 2.3.1, including Security Pro and anti-xss, Egy-spider manages to overwrite the htaccess file to disable osc_sec and insert the php files to hack the site in the catalog and admin (name already changed!). How to plug this new hole???????

[Taipo]

A few questions for you:

- did you have an earlier version of osCommerce installed prior to 2.3.1?

- was your site previously hacked prior to installing 2.3.1

- were you able to remove all the files the attackers added such as the Egy-spider php shell files

 

The reason I ask these is that typically when versions 2.3.1 are hacked, the reason often is that the site has been upgraded from the 2.2 range of osCommerce sites which has security vulnerabilities which allow attackers to upload malicious code which can then be used to overwrite site files and more.

[lucsangel]

A few questions for you:

- did you have an earlier version of osCommerce installed prior to 2.3.1?

- was your site previously hacked prior to installing 2.3.1

- were you able to remove all the files the attackers added such as the Egy-spider php shell files

 

The reason I ask these is that typically when versions 2.3.1 are hacked, the reason often is that the site has been upgraded from the 2.2 range of osCommerce sites which has security vulnerabilities which allow attackers to upload malicious code which can then be used to overwrite site files and more.

 

 

Hello,

 

No it was a clean install of 2.3.1 with no previous install on the server.

 

The hacker managed to eliminate the htaccess file and replace it with one that disables osc_sec (so hey guys, the osc_sec add-on can be disabled!). The shell files were placed in the catalog, the includes directories of the re-named admin and catalog and in the English language directory. An ini file was created to turn on register globals. All in spite of correct permissions and htaccess protection as well as Security Pro. So how did they get in and how to stop it from happening again?

 

Thanks and heads up to others.

 

Angel

[Guest]

@@lucsangel

 

I would suggest then that your hosting providers entire server was compromised and that it wasn't just your osCommerce installation that was targeted. Although there are a few recommended security enhancements for v2.3.1, there is no known vulnerability in the core code.

 

The statement that you renamed the admin directory tells me that the hacker (bot) has direct access to your server and can locate your admin directory. (which is not a bot function by the way)

 

 

 

Chris

[lucsangel]

@@lucsangel

 

I would suggest then that your hosting providers entire server was compromised and that it wasn't just your osCommerce installation that was targeted. Although there are a few recommended security enhancements for v2.3.1, there is no known vulnerability in the core code.

 

The statement that you renamed the admin directory tells me that the hacker (bot) has direct access to your server and can locate your admin directory. (which is not a bot function by the way)

 

 

 

Chris

 

 

Thanks Chris but the nasty bit about this hacking tool is that once in the root it can find all the files as I understand so the thing is to find out how it entered. There are no entries in the logs nor suspect IPs. Gues I just have to watch 24/24!

[MrPhil]

If the hacker appears to be logging into your hosting account, your host should be able to determine the IP address they came in on (it's in a log, at least for the last access to your account) and possibly block it. If the hacker is able to change permissions so they can overwrite files, they probably got fully logged in, rather than just FTPing in (or your host has serious security problems). On your end, be sure to scan the PC(s) you use to administer your site for spyware (especially password sniffers and keystroke loggers). After doing any cleanup of malware and turning on your PC firewall, change all the passwords you can think of -- host access, FTP, osC site admin, maybe even the database. All that is worth doing even if you can't prove that there's any security breach on your PC. Also talk to your host about whether you can use SFTP instead of plain FTP (FTP sends passwords in the clear, while SFTP uses SSL encryption).

[lucsangel]

If the hacker appears to be logging into your hosting account, your host should be able to determine the IP address they came in on (it's in a log, at least for the last access to your account) and possibly block it. If the hacker is able to change permissions so they can overwrite files, they probably got fully logged in, rather than just FTPing in (or your host has serious security problems). On your end, be sure to scan the PC(s) you use to administer your site for spyware (especially password sniffers and keystroke loggers). After doing any cleanup of malware and turning on your PC firewall, change all the passwords you can think of -- host access, FTP, osC site admin, maybe even the database. All that is worth doing even if you can't prove that there's any security breach on your PC. Also talk to your host about whether you can use SFTP instead of plain FTP (FTP sends passwords in the clear, while SFTP uses SSL encryption).

 

Hello Mr Phil,

 

My PC is clean, heavily protected and only used for the sites. No access was done through login in the cpanel, no database files corrupted nor config files touched, just the suppression of the original htaccess with replacement by one that is set to disable osc_sec and the addition of new files though no FTP appears to have been used according to the logs! This one has me really stumped. I already implemented all of your suggestions first thing. Thank you.

 

Angel

[MrPhil]

Was your .htaccess file 644 permissions (or lower)? If it was something like 777, any other user sharing your server could have overwritten it. Since an .htaccess file has no business changing all that often, and certainly not without your specific attention, try making it Read-Only (444). If the hacker can still get to it and change it, it proves that either your host has some very serious security flaws, or the hacker is in fact logging on to your hosting account.

 

A hacker doesn't necessarily have to be on your PC (virtually or physically) to do their work. If they can monitor network traffic somewhere between your local Net connection and the server, they can grab clear text passwords, especially out of FTP streams. That's why I suggested looking at SFTP. Even then, if your host is serious about security, they have disabled chmod (permission changes) from FTP.

[Taipo]

The hacker managed to eliminate the htaccess file and replace it with one that disables osc_sec (so hey guys, the osc_sec add-on can be disabled!).

 

If an attacker is able to upload shell files and edit site files then any security files such as osC_Sec can be disabled, but since they were able to place a shell file such as egy-spider then no included security measures would prevent the execution of the shell files which are basically web based ftp file managers similar to the ones that come with cpanel.

 

The shell files were placed in the catalog, the includes directories of the re-named admin and catalog and in the English language directory. An ini file was created to turn on register globals. All in spite of correct permissions and htaccess protection as well as Security Pro. So how did they get in and how to stop it from happening again?

 

If an attacker had managed to get themselves access to your ftp details or control panel details they would not need to install a shell code of any sort since they would have complete access anyways. Installing such files and patching the htaccess file is more consistent with server wide hacks.

 

Unless you have installed an addon with 2.3.1 that has a file upload vulnerability, I cannot see how 2.3.1 code could be the source of the vulnerability which has allowed attackers to upload these files and use them to change the settings in your htaccess files.

 

This sounds to me like it was a server wide hack which have been quite common place on webservers that run PHP as CGI. All webservers that are configured in that manner are vulnerable to that hack and most webhosts are scrambling to patch their servers.

 

see http://packetstormsecurity.org/files/112486/PHP-CGI-Injection.html

and https://bugs.php.net/bug.php?id=61910

 

re: file permissions, if the server is running PHP as CGI then PHP will have owner level permissions which means that any file uploaded to the site that has the ability to chmod files and directories will be able to do so no matter what you set the permissions to. It is the one downside to running PHP in that manner, in that if an attacker is able to upload such a file, then it pretty much negates any site security you could install, including osC_Sec or any other addon.

 

See http://www.oscommerce.com/forums/topic/373047-a-chat-about-file-permissions/ for more about file permissions and various PHP configurations.

[Taipo]

Bobbee, were you able to find out how this attack was actioned? Being that you are using 2.3.1, I am very interested in finding out how the attackers were able to install files on your site.