Jump to content

Archived

This topic is now archived and is closed to further replies.

JcMagpie

Web site security problems with osCommerce Gold/Edge?

Recommended Posts

Happy new year all.

 

Staring the new year with a headache! I have set up a number of test websites with both Gold and Edge. Three websites have been hacked over the last few days. The issue is injection of php files directly into osCommerce root folder. From what I have managed to determine is its been the same exploit on all sites. It did not do any damage to my site but started using bandwidth to send out emails until hosting limits suspended sites. This is what was found.

 

Before the site was suspended it was scanned and the result of the scan is below:

{CAV}Unix.Trojan.Torte-1 : /home/******/public_html/inc/_core/model/ps
{HEX}base64.inject.unclassed.7 : /home/*******/public_html/inc/_core/model/_pagecache.class.php
{CAV}Win.Trojan.B-190 : /home/******/public_html/inc/_core/model/gallery.php

Was unable to remove files. Had to wipe site and recover from backup.

 

All sites were installed as standard with all recommended files and folders set as requested. Admin security showed everything as recommended. Admin file check was all as should be.

Additional Protection With htaccess/htpasswd was set.

 

Is there any other security patch that should have been applied? I did not find any listed.

 

Hosting company have worked quickly with me to reinstate clean sites. The have stated that the servers are secure and that each website is isolated from others so each of the sites were compromised individually rather that it spreading on the server.

 

They are advising that osC needs patching to resolve this? Or I need to install antivirus software on each site.

 

I would welcome any help/feedback on this issue.


 

Share this post


Link to post
Share on other sites

Hello @justcatering,

@burt is the one that facilitates the EDGE version. Alert him as soon as possible about this so he can look into it.

I use the EDGE version and I am not aware of any security breaches but I've done 3 things for security

  1. Use a reputable webhosting company
  2. All pages using https protocol.
  3. Use a cloud server service such as Google Cloud or Cloudflare

You may want to change all passwords that grant access to your server and change credentials in your configure files. I've had no problems with security in years since using EDGE version.

Share this post


Link to post
Share on other sites

Zahid, IIRC you exposed your admin URL and other sensitive data in the forum, and someone might have taken advantage of that to hack your site. After cleaning up, change all your admin paths and passwords (server account, osC ID, database user, etc.) after making sure that the PC you use to access your site has been checked for malware such as keystroke loggers and password sniffers. No one else seems to be reporting security problems, so most likely it's something particular to your situation.

Think before you post, and check for any information that a bad guy might possibly use to get into your site.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Hmm. Well two other sites that i have never posted about were hacked too! Paswords and admin diferent on all. So yes I was a numpty in pasting the data but but it was pointed out quickly and removed and on that one site I changed password and admin directory name and FTP passwords straight away. That site was fine.

So I think it still need looking into.


 

Share this post


Link to post
Share on other sites

Well, at least make sure any PC you use to access your site is clean as a whistle with regards to malware. There's no point in changing all your passwords if some hacker knows them all within minutes! Some hosts have been known to be careless about security, and hackers prey on their customers, so that's always a possibility. And some people insist on making their directories "world writable" (typically 777 permissions), which lets anyone sharing your server drop in their own files, such as backdoors and Trojans. You have to be paranoid about security, and keep on your toes.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

There are no known security holes in the Community Version.

I'd suspect that the problem lies elsewhere in the server, for example;

If updating from older osCommerce;

  • ensure that the database is clean of extra admin users
  • ensure that there are no older hack vectors (example;  .php files in the /images/ folder )
  • ensure that if you change core code...you understanad what you are changing (so that you do not introduce potential hack vectors)

For hosting companies;

  • don't believe a word they say.  I have seen a co. introduce a security hole...so that their customer would then move to a dedicated server.
  • be aware that some hosting companies do not have a great knowledge of the technical details of hosting

After all that...if anyone does find a security hole in the Community Version, please report it at Github.  But remember that you need to do all of the detective work to find the attack vector, it is no good saying "my site got hacked, it must be because of osCommerce, look into it".  It needs to be something like;  "my site got hacked, I believe the problem is at XYZ page, you can replicate this by doing ABC"...

Having cleaned numerous "hacked osCommerce" sites, I cannot actually remember any where the problem was osCommerce.  Most of the time, the hack lay elsewhere (eg, insecure wordpress which infected whole server.  eg, malware on shopowners computer.  etc and so on).  Never jump to a conclusion that just because YOU use osCommerce, osCommerce is the problem.  


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

Zahid - The security tester on my site shows  your includes directory is not protected. That test returns a good status for most sites but it can be incorrect for a number of reasons related to your server. But no matter what it says, you need to manually check it to be sure. I've ran across many sites where the includes protection was missing or incorrect.

Share this post


Link to post
Share on other sites

Isn't he running PHP 5.2, with Edge downgraded to run on it? Older versions of PHP can be quite insecure, and his changes to the osC might have introduced security holes (including osC security features that don't work as well on back-level PHP). Personally, I think it's insane to downgrade Edge to PHP 5.2, rather than getting a decent host (with PHP at least 5.6), but there's no telling what some people will choose to do. What host doesn't offer PHP 5.6 these days? I wonder if his host is normally at 5.6, but is holding his server at 5.2 for the laggards. In that case, there is usually a mechanism in .htaccess to spec the later PHP on a per-directory basis.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
14 hours ago, Jack_mcs said:

Zahid - The security tester on my site shows  your includes directory is not protected. That test returns a good status for most sites but it can be incorrect for a number of reasons related to your server. But no matter what it says, you need to manually check it to be sure. I've ran across many sites where the includes protection was missing or incorrect.

Ok intresting I will check again but I never edit directory settings They are left at 755 as recomended.


 

Share this post


Link to post
Share on other sites
14 hours ago, burt said:

There are no known security holes in the Community Version.

I'd suspect that the problem lies elsewhere in the server, for example;

If updating from older osCommerce;

  • ensure that the database is clean of extra admin users
  • ensure that there are no older hack vectors (example;  .php files in the /images/ folder )
  • ensure that if you change core code...you understanad what you are changing (so that you do not introduce potential hack vectors)

For hosting companies;

  • don't believe a word they say.  I have seen a co. introduce a security hole...so that their customer would then move to a dedicated server.
  • be aware that some hosting companies do not have a great knowledge of the technical details of hosting

After all that...if anyone does find a security hole in the Community Version, please report it at Github.  But remember that you need to do all of the detective work to find the attack vector, it is no good saying "my site got hacked, it must be because of osCommerce, look into it".  It needs to be something like;  "my site got hacked, I believe the problem is at XYZ page, you can replicate this by doing ABC"...

Having cleaned numerous "hacked osCommerce" sites, I cannot actually remember any where the problem was osCommerce.  Most of the time, the hack lay elsewhere (eg, insecure wordpress which infected whole server.  eg, malware on shopowners computer.  etc and so on).  Never jump to a conclusion that just because YOU use osCommerce, osCommerce is the problem.  

Thanks Burt that's good to know just wanted to check I hadn't missed a patch or something.

 

As for the hosting company I can say with hindsight that they actually have been very helpful considering this happened during the xmass holidays and new year. I was initially very critical but that was due to my frustration. They did every thing I asked and more and got the sites back up and clean within hours of me actually complaining.

As per your advise I am geting a new account with PHP 5.7 and will move the new sites over to this shortly.


 

Share this post


Link to post
Share on other sites
12 hours ago, MrPhil said:

Isn't he running PHP 5.2, with Edge downgraded to run on it? Older versions of PHP can be quite insecure, and his changes to the osC might have introduced security holes (including osC security features that don't work as well on back-level PHP). Personally, I think it's insane to downgrade Edge to PHP 5.2, rather than getting a decent host (with PHP at least 5.6), but there's no telling what some people will choose to do. What host doesn't offer PHP 5.6 these days? I wonder if his host is normally at 5.6, but is holding his server at 5.2 for the laggards. In that case, there is usually a mechanism in .htaccess to spec the later PHP on a per-directory basis.

As to introducing problem I'm as fallible as any here, I have not made any changes to the core code at all. To make it work on 5.2 required a few simple changes in files that are by default 644 and the changes were with guidance from the forum. All other changes are simply the use of approved ad-dons and user.css to change the look.

As for PHP I have been using 2.2a with PHP5.2 for over 15 years with only one compromise that I can remember which was totally down to me forgetting to return the config file back to write protect after an edit.


 

Share this post


Link to post
Share on other sites
17 minutes ago, justcatering said:

Thanks Burt that's good to know just wanted to check I hadn't missed a patch or something.

 

As for the hosting company I can say with hindsight that they actually have been very helpful considering this happened during the xmass holidays and new year. I was initially very critical but that was due to my frustration. They did every thing I asked and more and got the sites back up and clean within hours of me actually complaining.

As per your advise I am geting a new account with PHP 5.7 and will move the new sites over to this shortly.

Sorry as to the databases they are new clean ones made on install. I then export raw data as CSV and strip out everthig not needed from old data base  and then import only what I need into new database. I dont think any compramise in the old databse can servive this as I phisicaly strip out every thing but raw data.  I did scan the database with ClamAV and it was declared clean. However I will check again.


 

Share this post


Link to post
Share on other sites
3 hours ago, justcatering said:

Ok intresting I will check again but I never edit directory settings They are left at 755 as recomended.

I wasn't talking about the permissions. You need to look in the includes directory and make sure there is an .htaccess file there and that it contains the following:

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

Share this post


Link to post
Share on other sites
35 minutes ago, Jack_mcs said:

I wasn't talking about the permissions. You need to look in the includes directory and make sure there is an .htaccess file there and that it contains the following:


<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

have checked and file is present.


 

Share this post


Link to post
Share on other sites
9 hours ago, justcatering said:

have checked and file is present.

Sounds like your running Apache 2.2?

When something like this happens you really need to ID the hacker's access path. Using firewall and only have the necessary ports open to access by IP could help you in narrowing down which log files to check for suspicious activities...

Share this post


Link to post
Share on other sites

There is at least one known (and major) security hole in PHP 5.2 itself. It doesn't matter what you are running on it, the hackers will keep getting in. You need to upgrade to PHP 5.6, and get started on migrating to 7.x.

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Got to the bottom of this, in the end it was a server hack not the website ( although they will never admit to it). Even after my public foulders had been scaned and cleaned and declared safe when I did a cpanel back up and sent it to my new hosting company the first thing they did was reject the backup as they scan everying comming onto the servrs. The trojon was sitting in the root directery of the old site! New host has auto virus scans every day has ssh and a number of other security fetures as standard so hopefully thing will improve.

So just need to migrate my sites one by one onto Edge and move them to new host. Thanks for all the help and feedback


 

Share this post


Link to post
Share on other sites
22 minutes ago, justcatering said:

Got to the bottom of this, in the end it was a server hack not the website ( although they will never admit to it). Even after my public foulders had been scaned and cleaned and declared safe when I did a cpanel back up and sent it to my new hosting company the first thing they did was reject the backup as they scan everying comming onto the servrs. The trojon was sitting in the root directery of the old site! New host has auto virus scans every day has ssh and a number of other security fetures as standard so hopefully thing will improve.

So just need to migrate my sites one by one onto Edge and move them to new host. Thanks for all the help and feedback

If it helps anyone else this is what was the problem.

1.3.2018_14-24-33_*******.tar.gz - ['/home/******/********/Old host cpanel backups/backup-1.3.2018_14-24-33_*******.tar.gz'] - ClamAV detected virus = [Php.Trojan.Mailer-50]

 

Share this post


Link to post
Share on other sites

×