tsherer Posted September 21, 2005 Posted September 21, 2005 I'm wondering if someone might be able to help me fix this problem that my hosting company says I need to address. Here's the message: ------ Dear Customer It has come to our attention that you have a script/application in your webspace that is attempting to bind a port to the local servers IP address. To bind a port in such a fashion, this would require you to have a Dedicated Server. Currently you are signed up for one of our Shared hosting packages which do not allow port binding. The script that you are using is located at the path specified below: /hep/catalog/images/os/commerce/sshd listening on *:62035: The script was executed with the following command: Commandline: ./sshd There are steps that you can take to correct this in most cases. We recommend that you take a close look at your script to determine if you are trying to make an FTP connection. When attempting to make an Active (PORT) connection, this requires the local server to listen on a port. Changing the script to make a Passive (PASV) connection will cause the remote server to listen on a specified port, thus eliminating the scripts attempt to bind to a local port. Example of a short PHP script that uses passive ftp: <?php $file = 'somefile.txt'; $remote_file = 'readme.txt'; // set up basic connection $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // turn passive mode on ftp_pasv($conn_id, true); // upload a file if (ftp_put($conn_id, $remote_file, $file, FTP_ASCII)) { echo "successfully uploaded $file\n"; } else { echo "There was a problem while uploading $file\n"; } // close the connection ftp_close($conn_id); ?> You can see in the script the connection type is specified with the line: ftp_pasv($conn_id, true); This is the most important line in the script which turns passive mode on which will prevent the script from binding a local port. If you did not write the script/application, we recommend that you contact the developer for further help in resolving this issue. Reminder, we do not provide any type of script debugging and will not analyze your script to determine what is causing the attempt to bind a port. We thank you for your cooperation in this matter. Please remember, further infractions may result in the locking of your webspace and/or scripts. ---- any ideas on how to fix this so they are happy? thanks!!!! travis
Guest Posted September 21, 2005 Posted September 21, 2005 do you have a developer? where did you download osCommerce from? what version of osCommerce do you have? have a link?
tsherer Posted September 21, 2005 Author Posted September 21, 2005 Hi Mibble, thanks for responding. I don't have a developer-it's me. I'm a web designer with very basic experience with PHP, etc. the link to the store is http://www.healthequityproject.org/catalog/ any help you can provide to help me with this issue would be great.. travis I'm wondering if someone might be able to help me fix this problem that my hosting company says I need to address. Here's the message: ------ Dear Customer It has come to our attention that you have a script/application in your webspace that is attempting to bind a port to the local servers IP address. To bind a port in such a fashion, this would require you to have a Dedicated Server. Currently you are signed up for one of our Shared hosting packages which do not allow port binding. The script that you are using is located at the path specified below: /hep/catalog/images/os/commerce/sshd listening on *:62035: The script was executed with the following command: Commandline: ./sshd There are steps that you can take to correct this in most cases. We recommend that you take a close look at your script to determine if you are trying to make an FTP connection. When attempting to make an Active (PORT) connection, this requires the local server to listen on a port. Changing the script to make a Passive (PASV) connection will cause the remote server to listen on a specified port, thus eliminating the scripts attempt to bind to a local port. Example of a short PHP script that uses passive ftp: <?php $file = 'somefile.txt'; $remote_file = 'readme.txt'; // set up basic connection $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // turn passive mode on ftp_pasv($conn_id, true); // upload a file if (ftp_put($conn_id, $remote_file, $file, FTP_ASCII)) { echo "successfully uploaded $file\n"; } else { echo "There was a problem while uploading $file\n"; } // close the connection ftp_close($conn_id); ?> You can see in the script the connection type is specified with the line: ftp_pasv($conn_id, true); This is the most important line in the script which turns passive mode on which will prevent the script from binding a local port. If you did not write the script/application, we recommend that you contact the developer for further help in resolving this issue. Reminder, we do not provide any type of script debugging and will not analyze your script to determine what is causing the attempt to bind a port. We thank you for your cooperation in this matter. Please remember, further infractions may result in the locking of your webspace and/or scripts. ---- any ideas on how to fix this so they are happy? thanks!!!! travis <{POST_SNAPBACK}>
♥Vger Posted September 22, 2005 Posted September 22, 2005 If I were you I'd FTP to your website, and take a look to see if the images/oscommerce/ folder exists, and if there's anything in there that shouldn't be there. Vger
kalle Posted September 22, 2005 Posted September 22, 2005 Hi Mibble, thanks for responding. I don't have a developer-it's me. I'm a web designer with very basic experience with PHP, etc. the link to the store is http://www.healthequityproject.org/catalog/ any help you can provide to help me with this issue would be great.. travis <{POST_SNAPBACK}> I read through the e-mail you have gotten from your ISP and when I read through the lines: " /hep/catalog/images/os/commerce/sshd listening on *:62035: The script was executed with the following command: Commandline: ./sshd " I begun to suspect that your site has been hacked. An SSH (Secure remote connection protocol, in case you don't already know what it is) server listening on port 62035 (it normally/in most cases uses port 22) is definitely not a part of the osCommerce distribution. As Vget suggested, you should FTP to your server and delete everything in images/os/ category, I believe that there's nothing else than the SSH daemon program there. In case you also have image files there that are part of your shop, don't delete them. Cheers, Kalle!
Guest Posted September 22, 2005 Posted September 22, 2005 this is pretty much what might be open port wise: *nat:PREROUTING ACCEPT [127173:7033011] :POSTROUTING ACCEPT [31583:2332178] :OUTPUT ACCEPT [32021:2375633] COMMIT *mangle :PREROUTING ACCEPT [444:43563] :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:144198] :POSTROUTING ACCEPT [402:144198] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT *filter :INPUT DROP [1:242] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :icmp_packets - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 783 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2086 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p icmp -j icmp_packets -A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT -A OUTPUT -d 127.0.0.1 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets -A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7 -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT this is one of my setting for osCommerce, WHM/CPanel
tsherer Posted September 27, 2005 Author Posted September 27, 2005 Well I took the advice to ftp to my catalog/images/ folder and sure enough there was a strange file called "up.php" i went to take a look at it and before i could open it my anti-virus software went crazy. so i deleted before opening it. now the question becomes how did i get hacked like that? i have my admin area password-protected, and have followed the other security precautions. is there anything else i can do? should i be worried about my customer info. being compromised since the file has been there? yikes!!! thanks much travis
♥Vger Posted September 27, 2005 Posted September 27, 2005 It could easily have been that the server got hacked and not just your site. Check under Tools --> Server Info in your osCommerce admin panel to see what version of php is being run. If it is less than 4.3.10 (patched) then the server is wide open to attack. Also in your osC admin panel, set Use Cache to 'false'. Some servers have a common 'tmp' folder where your files could get mixed with files from other sites on the same server. In your configure.php files make the last line read 'mysql' where indicated, thus storing sessions in the database and not in files. Another degree of seperation from other sites on a shared server would be to have a dedicated ip address for your website, instead of using the shared ip address. Finally, if you have a Content Management System like phpNuke or Post Nuke, or a forum like phpBB on the same domain I'd consider moving them elsewhere. They are a favourite target for hackers and are regularly being exploited. Vger
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.