Jump to content

Archived

This topic is now archived and is closed to further replies.

thumb

Site hacked through Vulnerability

Recommended Posts

This morning my website was suspended for phishing. Apparently someone found a vulnerability and was able to put scripts onto my website and were posing as Wells Fargo. Only thing I have installed on my site is osCommerce and it has been there for years and is always updated with the newest versions. I was just wondering if anyone else has had this happen to them recently? My host is telling me that they can not make my site available again until I have a company like sitelock scan my site and give it a clean bill of health but of course at a yearly contract of at least $49/month. This all sounds like a scam to me.I've been designing websites and have a few of my own sites since 1987 and have never had something like this happen before.

Share this post


Link to post
Share on other sites

Also, which version do you use?

You can ask a commercial request for that.

Or if you have some knowledge, you can download your site and compare with the original version to see the difference and examine the code.



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element
 

 

Share this post


Link to post
Share on other sites

I can not tell you exactly which version I have but it is a v2.x. I also can not compare files because the host already deleted the files in question. The only thing I have right now that is up to date is the database for it. Is there something in the database where it will tell me what version of osC I am using?

Share this post


Link to post
Share on other sites

OK, I just remembered that I am running the bootstrap version and the last time a version check was done was 2017-06-08 and everything was up to date then.

Share this post


Link to post
Share on other sites

Do you have a backup of your site? As you have been designing websites since 1987 I imagine it must be a standard part of your workflow.

If you do, go to your most recent backup after the last update you made to the osC software and look at the file catalog/includes/version.php, it will show you which version you are on.


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites
4 hours ago, wHiTeHaT said:

Then they know what files to look at.

They should at least give you a decent report of what they have done.

Yes, they showed me what folder and files were added to my website that they(hackers) used and then deleted the whole folder. Right now I can't do anything because one of the websites that are on my account is going live(online store) that has it's DNS redirected to a shopping cart(shopified). What I am planning on doing is have the whole account wiped clean and start all over. Ido have backups of everything that I can use. I'll just go back about a month and use those. 

Share this post


Link to post
Share on other sites

I may have missed it but if how they got in has not been fixed, the hole will most likely still be there after you restore and you will have the same problem again.

Share this post


Link to post
Share on other sites

Yes, that would be true but I starting out fresh with nothing but what I need, if it happens again at least I will know what program is doing it. I have a forum running and osC

Share this post


Link to post
Share on other sites

Just a question are you sur is Osc an not your forum ?



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element
 

 

Share this post


Link to post
Share on other sites

I am not sure but the forum has been running for about 8 years and the OSC has been up for about 5 days or so, it's just a wild guess.

 

Share this post


Link to post
Share on other sites
Quote

Only thing I have installed on my site is osCommerce and it has been there for years

Quote

I am not sure but the forum has been running for about 8 years and the OSC has been up for about 5 days or so

So which is it? I would say that it's more likely that the software that's been around for years was the one hacked, although you might have installed osC and neglected to check that installation files, etc. were removed when you were done. These can provide a path into your site if you're not careful.

A host that wipes out your files so you can't see what happened doesn't sound like a very good host to me. You might want to start looking around for a new host if your current one is that uncooperative. How can you determine what happened if all evidence is gone? On top of that, you say they are demanding that you use expensive services from now on?

Quote

It's 2.3.4

osC 2.3.4 and Bootstrap (osC 2.3.4BS Edge) are entirely different animals. If you installed the "official" 2.3.4 offering, it's obsolete and non-responsive. 2.3.4BS Edge (available from GitHub) is the only up-to-date production-ready version (and is responsive). Everything else is either obsolete or beta (or even alpha) test.

Quote

I've been designing websites and have a few of my own sites since 1987

Fascinating, since Tim Berners-Lee didn't release the first web software until 1989...


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

MrPhil, I know I installed the Bootstrap back in June of this year, just never went live with it until almost a week ago. I don't know why it says in the version.php 2.3.4 instead of 2.3.4BS.

As far as designing websites, I and my partner designed them using html code only, there was no software when we started. That's probably the main reason I got out of website design a few years ago because of the great software they have now, anyone can design a site now.

As far as the host wiping out my code, I may have misled when I said that, the files and the folders were there but they sent me an email saying that if I wanted to get my site back online that I would have to get rid of all the files. Here is what they sent me in short:

To correct this problem:

1. Go through the entire account and remove unfamiliar/unused files; repair files that have been modified by the hacker.
2. Update all scripts/programs/plugins/themes on the account to the latest versions.
3. Research any scripts/programs/plugins/themes you are using for known security vulnerabilities; remove any with known, unresolved vulnerabilities.
4. Update your cPanel password, using a strong password (i.e. upper case characters, lower case characters, numbers, symbols).
5. Remove unused FTP accounts.
6. Update the passwords on necessary FTP accounts to strong passwords (see above).
7. Update the passwords for any scripts/programs you are using to strong passwords (see 4 above).
8. Remove all unknown cron jobs.
9. Secure the php configuration settings in your php.ini file.
10. Update the file permissions for files and folders on your account.
 
Now here is something to think about and it keeps haunting me, the night before(actually 6 hours before the attack), I had changed the DNS to point to Shopify.com and the www CName only so that we could use their shop for testing. I told my host this and they said there was no way they could access my site that way. It's just too much of a coincidence that it happened just hours afterwards.  
 
Oh, and I did remove the installation files once I was finished installing and also changed the permissions that were noted in the admin when installed.

Share this post


Link to post
Share on other sites

I just noticed that I had typed 1987, it was 1997 when we started but it was still using HTML, then we went to dreamweaver and fireworks. Sorry about that.

Share this post


Link to post
Share on other sites

Packages for things like forums are notorious for providing backdoors into shopping cart packages so that could be the source of the hack.

Share this post


Link to post
Share on other sites

If you are saying that a forum package was on the cart, no. Matter of fact the OSC has nothing extra added to it except for the store logo and of course some items for sale. I still have no idea how they got in and through what means.

Share this post


Link to post
Share on other sites

@thumb

Anyone reading your original post could be led to believe that osCommerce was definitely at fault for causing your site to be hacked. You've subsequently admitted you had another software package, a forum, on your site. You've now admitted you have no idea how the hackers got in and through what means. 

I think we'll have to consider this a beat up. Come back to us if you find out osC has any vulnerabilities. Until then, it's reckless speculation.


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites

I actually didn't say OSC was at fault and actually asked if this has happened to anyone else thinking that if it did, it might be a problem with OSC. The reason I did not mention the forum was because it has been there for years with regular updates so my initial thought was OSC since I had just installed it on a new website that had it DNS pointing from my website host just hours before it was hacked. I'm just looking to find out how it happened. The only way to find out something is to ask and it might show a reason, without asking, then no one will ever know. Sorry to have bothered you. Now if I go to the forum forum, I bet they'll say the same thing as you did. If I do find out I will be sure to come back and let you know.

Share this post


Link to post
Share on other sites

When I mentioned the forum, I was talking about it as a stand-alone installation. So your site would be in one directory and the forum in another but in the same hosting account. If someone is able to hack into either of them, then they can follow the trail to the other one, unless they are blocked by the code. This was a common occurrence years ago. I haven't heard of it lately but if your installations are old packages, it is certainly possible.

But it is all guesswork at this point since it can be near impossible to know how a site was hacked unless it is looked into right away and you have access to server logs.. If it was something like your login being obtained, there wouldn't be  a way to tell even that way unless you had tracking code installed. 

Share this post


Link to post
Share on other sites

What I am planning on doing is to have my whole site wiped clean and start all over with all new installations. Since I have no idea nor does the host how they got in, it's all I can do. My host wanted me to use sitelock.com which they are partnered with and pay them to scan my site and they would clean anything that look suspicious. Bad thing about that is they want you to have a year contract with them with at least a $49/mo charge plus an upfront cost of $100 to do the scan and clean. I don't know but it sounds more like a scam to me, wanting me to pay them for a year for something I had nothing to do with. How do I know they or the host didn't put those files there? It's just a big mess. :ohmy:

Share this post


Link to post
Share on other sites

It's unlikely your host did this. Sitelock is a legitimate program, though unnecessary in my opinion. There shouldn't be any reason to start over. Your files can be cleaned. If you are going to start over, install the latest Edge version. Besides being a better package for the web, it will eliminate a large of security holes in an older shop. If done correctly, you won't lose any data in the database. Though the appearance and addons will have to be redone. Once you have the shop running again, install Site Monitor. If won't prevent hackers from getting in but will let you know when they do so you will know what is needed to fix what they did. There are also some security addons that can be installed to help prevent hacking. I'll send you a PM with more details.

Share this post


Link to post
Share on other sites

I can start all over with no problems. The OSC was just started and really not much on it yet, just a few items. Now the forum has been going on for years but has dwindled down to about 5 members but we will get on daily just to say hi so in that regards, I could just start it off new also. Other than those two applications, there is nothing on the website to speak of.

I would just do a clean but it's just too expensive. I'm retired and on a fixed income and just recently had a heart attack and triple by-pass surgery so I don't need any of this right now. STarting new would be best in my situation. If site monitor is free I'll install it also.

Share this post


Link to post
Share on other sites

×