Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Hack Prevention and Warning

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

I just installed OS Commerce to a sub domain on my hosting server and ran it for the last couple of days with no problem. Today my virus scanner went nuts when I opened the site.

I did a little research and found it is a Trojan. I contacted my web host and they confirmed it was only in my sub domain and no other accounts on the server were compromised.

 

I would like to know how a malicious script was placed in my OS Commerce section of my site ?

 

The script was placed in /includes/languages/english/index.php within Iframe tags at the bottom of the index.php file. I still have it but dont think I should post it.

 

You can also see if you are infected by watching the status bar while loading the index page. You will see it try and connect to multiple other sites such as skaska.biz. If you view page info from your browser window you can see the links section which will read hotlog.ru. there might be other sites in there such as extreme_1.biz .

 

I hope to help some people out by reporting this but would also like to know how this happened and how it can be prevented in the future.

mtechama

mtechama

Posted
Posted

to prevent it you need to get with you hosting and see if they have a virus protection for web hosting

Wade Morris

Amarillo, Texas

 

Before you do any changes on your site you need to do BACKUP! BACKUP!

Guest

Guest

Posted
Posted
to prevent it you need to get with you hosting and see if they have a virus protection for web hosting

 

 

 

They do run it but it would appear that the infected file comes through an exploit from cpanel backup and I think it places a 1k file os_commerce.tgz in the root dir of the os commerce install.

I scanned the file and the virus program come up with nothing. Once this file is activated then it tries to connect to hit5hotlog.ru, step57.info and 1-extreme.biz. If you have you block the cookies and go in and delete os_commerce.tgz (1K file) then the script cant write the iframe tags to the bottom of your index page.

 

I strongly urge everyone to check their root dir where os commerce is installed.

daz_75

daz_75

Posted
Posted
They do run it but it would appear that the infected file comes through an exploit from cpanel backup and I think it places a 1k file os_commerce.tgz in the root dir of the os commerce install.

I scanned the file and the virus program come up with nothing. Once this file is activated then it tries to connect to hit5hotlog.ru, step57.info and 1-extreme.biz. If you have you block the cookies and go in and delete os_commerce.tgz (1K file) then the script cant write the iframe tags to the bottom of your index page.

 

I strongly urge everyone to check their root dir where os commerce is installed.

 

I have the .tgz file in my root directory but can't see any dodgy websites or ifram tage listed anywhere in my files, what should i do, i thought that tgz file was something for oscommerce

Guest

Guest

Posted
Posted
I have the .tgz file in my root directory but can't see any dodgy websites or ifram tage listed anywhere in my files, what should i do, i thought that tgz file was something for oscommerce

 

 

is the file 1k in size ?

Iggy

Iggy

Posted
Posted
so should i be doing anything here or not?

 

There are no 1k .tgz files in an osC install. Delete. Expunge. Exterminate.

 

HTH,

Iggy

Everything's funny but nothing's a joke...

  • 4 months later...
PD_Steve

PD_Steve

Posted
Posted

The .tgz file is being added as part of the Fantastico installation. The actual contents are completely empty, therefore it is not being used. However, its possible that this is a file that Fantastico is using to monitor your oscommerce installation and is how it tells you to update, etc.

 

Fantastico installations include a 45 byte OS_Commerce.tgz file as part of their standard installation. However, it would be good if someone could confirm this is the case (i.e. does everyone who uses Fantastico get this file created).

My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

knifeman

knifeman

Posted
Posted
The .tgz file is being added as part of the Fantastico installation. The actual contents are completely empty, therefore it is not being used. However, its possible that this is a file that Fantastico is using to monitor your oscommerce installation and is how it tells you to update, etc.

 

Fantastico installations include a 45 byte OS_Commerce.tgz file as part of their standard installation. However, it would be good if someone could confirm this is the case (i.e. does everyone who uses Fantastico get this file created).

I have 3 sites with oscommerce. All installed with fantastico. I read this thread some time ago and found one site had the file. I looked in my backup files and it was not in them, so I deleted it.

 

Tim

PD_Steve

PD_Steve

Posted
Posted

I have checked now directly with Netenburg, the makers of Fantastico regarding the os_commerce.tgz file which is included in their installations. This is their reply

 

-----------------------------------------------

Hi Steve,

 

Steve wrote:

Is this file meant to be included in the OsCommerce installations and if it is, what is its purpose?

 

 

The file "OS_Commerce.tgz" has no function whatsoever. We will remove it in the up-coming release.

 

Steve wrote:

On the OsCommerce forums this has been identified as a potential security risk because it appears this is a backdoor for trojan installations which then modifies the OsCommerce code in several places inserting an iframe wrapper window.

 

 

Can you please direct me to the correct thread in the osCommerce forums where they suggest that this file is the source of a potential risk? I would like to confirm that this file is harmless and does not pose any risk whatsoever. It has a permission of 644 and no one but the user can overwrite it with any harmful code.

-----------------------------------------------

 

So, just to let everyone know that the os_commerce.tgz file in your root directory is not any kind of potential threat, but it also has no particular purpose. This is not the way that the iframe hack is being initiated.

 

Cheers

 

Steve

My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

knifeman

knifeman

Posted
Posted
The file "OS_Commerce.tgz" has no function whatsoever. We will remove it in the up-coming release.

It is good to get the scoop from the software company. I still can't help but wonder why have a file that has "no function whatsoever"

 

Tim

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...