Hacked and a index.html page was left

ddp · June 29, 2006

Hi there

When I turned on my computer this morning and this lovely graphic and information was dispayed on my homepage:

FoReWeR

All that was done in the hack was this page (index.html) was inserted the database and the rest of my files all seem to be intact.

I contacted my server and he had this to say about it:

"There is some sort of vulnerability in either php, mysql or oscommerce - or maybe all three that allows this and some of the hackers have found it. If you search google for this one, you will see there are other sites that he has done it to. We spent a lot of time on the problem when this was happening before but could never find how they are getting in."

Any advice or thoughts from anyone would be appreciated.

June 29, 2006

I don't think that access is a mysql, php or osC vulnerability as much as your server's file system. Don't browsers pick .html over .php for index? Anyone who can ftp into your folders can just drop a file in. I suppose they could have used the file manager in your osC store's admin panel if you left the admin side open or he figured out your password. I'm assuming you have it set with htaccess at least? There's also a Contrib to make another level of security. It's also suggested that you move and/or rename your admin folder to make it even a little harder to find.

ddp · June 29, 2006

I don't think that access is a mysql, php or osC vulnerability as much as your server's file system. Don't browsers pick .html over .php for index? Anyone who can ftp into your folders can just drop a file in. I suppose they could have used the file manager in your osC store's admin panel if you left the admin side open or he figured out your password. I'm assuming you have it set with htaccess at least? There's also a Contrib to make another level of security. It's also suggested that you move and/or rename your admin folder to make it even a little harder to find.

Thanks for your reply.

Yeah my admin folder had already been renamed and is password protected. Don't think they got in there.

Nothing was done to my osc site. That's what makes me wonder why not?

If the hacker can drop files in does that not mean that they can change the ones that are there?

Is it possible that they can drop files into my root only and not see what is in there?

Can you elaborate on how you think they might have got in via the server's file system?

June 29, 2006

I'm not a hacker but I know there are bots and programs that can do a lot with the web. Some will do repeated attempts at logins with passwords until they get it right. Then there's something called something like cross server scripting that can jump from one account to another. Good hosts and good software will block this. osC has security updates and code built to stop this but hackers are always looking for a way in. Is your login to your hosting account a logical name? make it irrelevant to your site or personal name. have you ever had some third party work done on your site? How tight is direct ftp to your files?

Again, I'm no expert but all of these are avenues of attack.

June 29, 2006

I'm not a hacker but I know there are bots and programs that can do a lot with the web. Some will do repeated attempts at logins with passwords until they get it right. Then there's something called something like cross server scripting that can jump from one account to another. Good hosts and good software will block this. osC has security updates and code built to stop this but hackers are always looking for a way in. Is your login to your hosting account a logical name? make it irrelevant to your site or personal name. have you ever had some third party work done on your site? How tight is direct ftp to your files?
Again, I'm no expert but all of these are avenues of attack.

I was hacked some time ago and I simply changed my permissions to 755 and I haven't had a problem since. This should help prevent them from being able to write to your files.

Terra · June 29, 2006

"There is some sort of vulnerability in either php, mysql or oscommerce - or maybe all three that allows this and some of the hackers have found it. If you search google for this one, you will see there are other sites that he has done it to. We spent a lot of time on the problem when this was happening before but could never find how they are getting in."

This sounds crazy - I'm not a server technician but I work with these guys on our servers and there's no way they would just accept a vulnerability. Events on a server are usually logged - you've got your error and access log for your site and then the server admin will have higher level logs. Did they at least check them?

The PHP & MySQL are the responsibility of your hosting company - if they cannot provide a secure enviroment, then they are muppets and should not be selling hosting.

As for osCommerce, it *should* be secure given the following:

-> password-protected admin area (something hard to guess, lots of letters & numbers)

-> the latest security patches applied

-> correct file permission settings

I hope you'll get to the bottom of this! all the best, Terra

ddp · June 30, 2006

Thanks Terra, javajake and brushwood for your advice.

I have found out that this hack had hit hundreds of sites today. Seems likely that it was some type of automated attack.

The simplest suggestion might have been the one to save me. I poked around and found a folder that had permissions set to 777. Might mean it would be possible to gain access that way.

Anyone know if this would have been possible?

June 30, 2006

correct me if i'm wrong, but doesn't the /images folder need to be 777 to upload images from the admin panel or generate thumbnails (if you use otf thumbnailer)?

what folder did they get into that was 777?

Jack_mcs · June 30, 2006

No, folders should be 755. The problem is that some hosts don't set up the servers correctly and you need to set the permissions to 777 in order to get some of the contribuitons to work. You should always try 755 first, unless you know your host requires otherwise.

Jack

June 30, 2006

what about includes/config.php?

i've seen a few posts on here stating it should be 400, but when i put it to 400 i get a cannot be found error.

right now it's 644

June 30, 2006

i just tried /images to 755 and i get:

Error: Catalog images directory is not writeable: /home/**/public_html/images/

(in admin)

June 30, 2006

i just tried /images to 755 and i get:
Error: Catalog images directory is not writeable: /home/**/public_html/images/

(in admin)

The images folder should only be 777 when uploading images, at ALL other times it should be 755. It doesn't matter that you get the error in the admin.

June 30, 2006

what does one do if the owner of the shop is not tech-savvy enough to work an ftp / control panel? that would be something i'd need to set for them, but i am not at my computer 24/7, wouldn't this put a cramp in them uploading new products?

scootd · June 30, 2006

I just Googled "[email protected]" and got 4 urls, are these hacked sites or hacker owned?

Results 1 - 4 of 4 for [email protected]. (0.06 seconds)

Did you mean: [email protected]

Hacked by Forewer

Forewer & Partizan |. SociaLism UntiL Victory..! [email protected].

skgd.ppdkb.net/topsites/index.php - 2k - Cached - Similar pages

Hacked by Forewer

[email protected]. FoReWeR | Partizan.

www.kartel.org.ru/ - 2k - Cached - Similar pages

Hacked by Forewer & Partizan

SociaLism.UntiL Victory. [email protected] ...

www.peacefulmemories-ls.com/ - 2k - Cached - Similar pages

Hacked by Forewer & Partizan

SociaLism.UntiL Victory. [email protected].

www.reversedirectory.net/links/ - 2k - Cached - Similar pages

Did you mean to search for: [email protected]

scot

Jack_mcs · June 30, 2006

what about includes/config.php?
i've seen a few posts on here stating it should be 400, but when i put it to 400 i get a cannot be found error.

right now it's 644

The lower you can go on the configure file, the better but, just like the 755/777 settings, it depends on how your host has the server setup. Some sites simply won't work unless the images directory is set to 777. You could ask your host to change the settings to prevent that.

Jack

ddp · June 30, 2006

correct me if i'm wrong, but doesn't the /images folder need to be 777 to upload images from the admin panel or generate thumbnails (if you use otf thumbnailer)?

what folder did they get into that was 777?

It was not the images folder. It was a folder froma different contribution. It has now been set to 755.

Same situation fot the images folders change to 777 when uploading new products then changes back.

I am still wondering if it would be possible that the hack described in the begginning of this thread could have been through a folder set to 777?

The folder was one level from the root.

Just trying to stop this happening again.

olliel · June 30, 2006

The lower you can go on the configure file, the better but, just like the 755/777 settings, it depends on how your host has the server setup. Some sites simply won't work unless the images directory is set to 777. You could ask your host to change the settings to prevent that.

Jack

I dont know if this helps but i just stumbled across forewer too, http://blogs.cjb.net/senisewiyorum/. On here he appears to be turkish <_<

ddp · June 30, 2006

I just Googled "[email protected]" and got 4 urls, are these hacked sites or hacker owned?

scot

Those are hacked sites.

You can see what forewer has been up to here:

http://213.219.122.11/en/defacements/filte...FoReWeR/page=1/

Hacked and a index.html page was left

Recommended Posts

ddp

Guest

ddp

Guest

Guest

Terra

ddp

Guest

Jack_mcs

Guest

Guest

Guest

Guest

scootd

Jack_mcs

ddp

olliel

ddp

Archived

Browse

Activity