Jump to content

Archived

This topic is now archived and is closed to further replies.

GwilliamP

Site HTML files hacked but what is it/what does it do?

Recommended Posts

I have 2 domains running osC RC2A (I know - insecure, update) that are HEAVILY modded. I am waiting/hoping/praying for V3 before updating.

 

Emails go out through a shared server. I started to get 'sending limit exceeded' errors. It looks as if I was being used as a SPAM relay!

 

After a LOT of digging I found that just about every .html file had the following appended after the </html> tag.

 

Here are images of the code. I am not loading the code direct as it looks dangerous.

 

html-hack.jpg

 

HEX code.

 

html-hack-hex.jpg

 

I have just completed the clean-up and am waiting to see if that stops the problem.

 

Can anyone tell me what the code is doing?

 

Cheers,

Paul.

 

P.S. ALL passwords (hosting CP, FTP, SSH, osC admin, osC admin dir password protection, every email account) changed to strong 12 random character. File permissions set to 644.

Share this post


Link to post
Share on other sites

Paul

 

If you find out the date time of the changes you can look in your access logs and probably work out who it was and possibly backtrack and findout how.

 

Did you secure your login as per the rc2a secure thread?

 

If you have just cleansed it and not found and blocked the way they came in last time, they will be back.

 

HTH

 

G

 


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@@GwilliamP

 

I am waiting/hoping/praying for V3 before updating.

 

Can you really afford another two years (guesstimate) of running an insecure site ??

 

Also, you do realize there won't be an upgrade path from Rc2a to v3 right ? So it will be a NEW site, not an upgrade.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

@@geoffreywalton - It looks like the code has been there for some time. I store monthly backups and have found it over 12 months ago. I do not know how I missed finding it before. My hosted logs do not go that far back.

 

@@DunWeb - Bu**er! I had searched the forum but could not find any indication. I was just being optimistic. 2 years seems an awfully long time. Time to rethink. I don't want to upgrade as I never trust that route as the sites are so heavily modified.

 

I am still curious about the offending code.

Share this post


Link to post
Share on other sites

Whatever you decide, check these steps have been done.

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

Then you can either

 

Leave as is because it is secure.

Follow the upgrade path as far as possible.

Wait for V3 and transfer when it is available.

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

I don't want to pi$$ on your Post Toasties but you have set "Allow guest to tell a friend" to true in your admin.

 

That allows any wandering robot with SPAM on it's mind to use your store as a SPAM engine.

 

If you want to allow guests that feature you should apply a captcha or some other anti-robot measure.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Well that's one way to stop the spam - fix it so no one can access the site.

 

I suppose you may suffer a slight decrease in sales though...

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Now that's more like it...

:thumbsup:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

×