Jump to content

Archived

This topic is now archived and is closed to further replies.

roserve

Security Release since 2.3.3

Recommended Posts

Hi,

 

I am hosting an OSC 2.3.3 site for a customer. It got injected with a shell script and wanted to advise the customer to take some actions. It's version as guessed from includes/version.php (is this the right way to asses the OSC version) is 2.3.3. Is this version vulnerable? Were there security updates since 2.3.3?

 

The log lines responisble for the hack are these:

 

178.170.108.47 - - [23/Nov/2014:00:39:36 +0200] "POST /magazin/popup_image.php?pID=584&sa=U&ei=2w9xVPOgGaXiywPg04CIBQ&ved=0CCYQFjAEOMgB&usg=AFQjCNHMEEYPp6pH1spkq_RUcD7SQYNQ-g/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 2402 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "GET /magazin/images/petx.pHp?lol HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"

 

Any advice?

 

Thanks!

Share this post


Link to post
Share on other sites

Top one is looking for an osCommerce signature (popup_image.php), those parameters are google search parameters.

 

He then tries to access admin via an old exploit that was patched years ago.

 

The injection came from elsewhere I'd suggest, check your whole server for signs of hack activity.

 

FTI at 2.3.3, this site is 5 releases behind the current master.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for your answer. I can't check the entire server as there are quite a few accounts (hundreds) but the timestamp of the injected file is 23/Nov/2014:00:39:37 (identical with the log lines above) and the injected file has the ownership of the account (PHP is with suexec). So this is why I concluded it must be something related to the above lines. I checked again and around that time (seconds +/-), there's nothing else:

 

178.170.108.47 - - [23/Nov/2014:00:39:36 +0200] "POST /magazin/popup_image.php?pID=584&sa=U&ei=2w9xVPOgGaXiywPg04CIBQ&ved=0CCYQFjAEOMgB&usg=AFQjCNHMEEYPp6pH1spkq_RUcD7SQYNQ-g/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 2402 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "GET /magazin/images/petx.pHp?lol HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"

 

I know this version is 2 years old. But are there any security updates in the versions afterwards?

 

Thanks,

Regards!

Share this post


Link to post
Share on other sites

Hi,

 

Thanks. 2 things if I may:

 

1. I can't see any security patch of any vulnerability in the changelog. Are they supposed to be listed into the changelog and there were none since 2.3.3 or they are not publicly listed into the changelog even if there were patched vulnerabilities? My question is this: can I prove to the customer that an update is essential based on some evidence? I would like to have more than the fact that it's common sense to keep your software up to date.

 

2. It occurred again and this time it looks differently (I replaced the actual account with the word account):

 

This is the stat of the injected file:

 

File: `/home/account/public_html/magazin/images/car.php'
  Size: 172435          Blocks: 344        IO Block: 4096   regular file
Device: 802h/2050d      Inode: 62670280    Links: 1
Access: (0777/-rwxrwxrwx)  Uid: (  761/  account)   Gid: (  772/  account)
Access: 2014-11-25 04:49:33.255998549 +0200
Modify: 2014-11-24 22:01:10.606986711 +0200
Change: 2014-11-24 22:01:10.606986711 +0200

 

208.67.23.91 - - [24/Nov/2014:22:00:50 +0200] "GET /admin/categories.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:51 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/categories.php/login.php HTTP/1.1" 404 1148 "-" "M
ozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:52 +0200] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:52 +0200] "GET /magazin/admin/categories.php/login.php HTTP/1.1" 200 27356 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:53 +0200] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:53 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/file_manager.php/login.php HTTP/1.1" 404 1148 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:55 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/banner_manager.php/login.php HTTP/1.1" 404 1148 "-
" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:55 +0200] "GET /admin/administrators.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:54 +0200] "GET /magazin/admin/file_manager.php/login.php HTTP/1.1" 200 153573 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:56 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/administrators.php/login.php HTTP/1.1" 404 1148 "-
" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:57 +0200] "GET /magazin/admin/banner_manager.php/login.php HTTP/1.1" 200 28125 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:00:59 +0200] "GET /magazin/admin/administrators.php/login.php HTTP/1.1" 200 13592 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:04 +0200] "GET /magazin/admin/categories.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 200 27356 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:05 +0200] "POST /magazin//admin/administrators.php/login.php?action=insert HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:05 +0200] "GET /magazin/admin/administrators.php/login.php?action=new HTTP/1.1" 200 14075 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:07 +0200] "GET /magazin/admin/categories.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:07 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:15 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:16 +0200] "GET /magazin/images/car.php HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "GET /magazin/images/run.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "GET /magazin/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 200 1318 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "POST /magazin//admin/administrators.php/login.php?action=insert HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:18 +0200] "GET /magazin/admin/administrators.php/login.php?action=new HTTP/1.1" 200 14075 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.67.23.91 - - [24/Nov/2014:22:01:18 +0200] "GET /magazin/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"
208.67.23.91 - - [24/Nov/2014:22:01:19 +0200] "POST /magazin/admin/file_manager.php/login.php?action=processuploads HTTP/1.1" 500 296 "-" "libwww-perl/5.833"

 

As it can be seen from the log above it triggered 5 mod_sec alerts with 13-14 seconds hence it got banned at 22:01:23 (4 seconds after the last log line above). The 403 error above is due to the fact that it got injected with 777 ownership and this type of permissions get denied by suexec.

 

From the log above I can't see when that shell script got injected but...

 

a) This particular account has no other log associated with it and the inserted shell has the ownership of the account.

b. The FTP log is empty and also I have found nothing related to this particular account in /var/log/messages so nothing got injected by FTP.

c) I have also checked the /usr/local/cpanel/logs/access_log to check if maybe it got injected through cPanel (File Editor etc). There have been no logins to cPanel in the last 2 weeks by anyone on this particular account.

d) Although there are quite a few hundreds of accounts on this server, I am not aware of any other hacks. This website has been a permanent and recurrent problem for as long as I can remember so if the customer is not doing anything I am trying to figure out what to do for him. But I don't know anything about OS Commerce in particular so...

 

Any insight?

 

Thanks and regards!

Share this post


Link to post
Share on other sites

No security expert myself but 1 x fix here for 2.3.3.4 but this does not seem to be your problem was fixed very quickly within hours of being found and does not appear in your logs above

 

PM sent

 

He should have also have renamed admin to something random and taken the opportunity of extra  .htaccess protection which is offered in the admin

 

I am wondering if he is using an addon which may have made him vunerable

 

The below should have also been in his image folder

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
   Order Deny,Allow
   Deny from all
</FilesMatch>

Options -Indexes

**************************************************************************************************

 

This file for example from the above logs  has not existed for many years

 

/admin/file_manager.php

 

So as Burt said it is looking for old exploits from the 2.2 series

 

Another possbility is that springs to mind is that it may not have been a true 2.3... install but an ugraded 2.rc site??

 

Maybe worth while asking someone here to take a look at the file structure would not be hard to tell if it is a true 2.3 version or an upgraded older version

 

Not much help but something to think on

 

Regards

Joli

 

PS: full release upgrade notes here

 

http://library.oscommerce.com/Online&en&oscom_2_3&release_notes


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

×