Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Urgent!! HACKER has changed all index files on server


mac ra

Recommended Posts

Hi guys

 

I use a shared server from oneandone and this morning I find out some idiot hacker has somehow changed all my index pages on all the domains....around 50 websites in total.

 

Im assuming its been done through one of my oscommerce shops of which ive got around 5 or 6. The other websites are all 'normal' brochure sites....no forums etc.

Its strange because I have no 777 folders and admin areas are all htaccess. I have phoned 1&1 and they are no help whatso ever.

 

What worries me is how the managed to change all of my index files on the server and not just the one site.

 

Does anyone have any ideas?

 

cheers

 

mac

Link to comment
Share on other sites

  • Replies 60
  • Created
  • Last Reply

There is a known linux core bug that will allow this to happen. So if you are on a Linux server and they have not updated it, that could be the problem. Or it could be something simple like the hacker obtained a login.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

There is a known linux core bug that will allow this to happen. So if you are on a Linux server and they have not updated it, that could be the problem. Or it could be something simple like the hacker obtained a login.

 

Jack

 

Hi Jack

 

Its unlikely that the hacker got my login details for the server so im guessing its something to do with one and one seeing how every site was hacked.

Could you give me any more information on the matter so I know what to kick off at 1&1 about :thumbsup:

 

Another thing which is weird is that on one of the shops, the contact.php page was also replaced?

 

cheers

 

mac

Link to comment
Share on other sites

Hi Jack

 

Its unlikely that the hacker got my login details for the server so im guessing its something to do with one and one seeing how every site was hacked.

Could you give me any more information on the matter so I know what to kick off at 1&1 about :thumbsup:

 

Another thing which is weird is that on one of the shops, the contact.php page was also replaced?

 

cheers

 

mac

 

 

 

A new vulnerability was reported in osCommerce, which can be exploited by attackers to conduct Cross Site Scripting attacks. The problem resides in the "contact_us.php" file when handling the "enquiry" parameter, which may be exploited to cause arbitrary scripting code to be executed by the user's browser.

http://www.frsirt.com/english/advisories/2005/0171

Link to comment
Share on other sites

A new vulnerability was reported in osCommerce, which can be exploited by attackers to conduct Cross Site Scripting attacks. The problem resides in the "contact_us.php" file when handling the "enquiry" parameter, which may be exploited to cause arbitrary scripting code to be executed by the user's browser.

http://www.frsirt.com/english/advisories/2005/0171

 

Release Date : 2005-02-16

 

Does that qualify as new?

 

Iggy

 

Edit: I get it. You just copied their text.

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hi Jack

 

Its unlikely that the hacker got my login details for the server so im guessing its something to do with one and one seeing how every site was hacked.

Could you give me any more information on the matter so I know what to kick off at 1&1 about :thumbsup:

 

Another thing which is weird is that on one of the shops, the contact.php page was also replaced?

 

cheers

 

mac

I don't recall the refernce number. It has been about a year. I would think all hosts have it by now but maybe not. In any event, they have easy access to it so there shouldn't be a problem for them to find it. You may want to search the forums for 1&1. Seems that there are a number of problems with them as a host for oscommerce, based on what others have posted.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

This happened to me and I was furious. I know it sucks but the only way you can stop it is to change your root passwords limit access to user "nobody" make sure all right files are off "777" and add a firewall. These kids that do this are a&&holes and have nothing better to do.

 

You can also go to our site and read up on website security scans and systems that will help you by clicking here There is alot of helpful information here that can help you with your hacking and tools that might work to help scan and protect from future attempts on your network.

 

Also make sure to backup backup backup!

Link to comment
Share on other sites

  • 1 month later...

Given the amount of queries we are getting from osCommerce uesrs, this is happening to a lot of people rioght now so I think the community needs to address it as a serious osCommerce issue whether it is osCommerce related or not given the perception will be that it is osCommerce related.

 

I am curious to know how the contact_us vulnerability would allow editing of an index.php file.

 

I also think it would be useful if the " known linux core bug " was better identified.

Link to comment
Share on other sites

You need to update to the latest version. Download it and use the update-20060817.txt to make sure you have all the updates.

 

Next put a blank html file in each of your php folders. This stops snooping eyes from your php files.

 

 

Given the amount of queries we are getting from osCommerce uesrs, this is happening to a lot of people rioght now so I think the community needs to address it as a serious osCommerce issue whether it is osCommerce related or not given the perception will be that it is osCommerce related.

 

I am curious to know how the contact_us vulnerability would allow editing of an index.php file.

 

I also think it would be useful if the " known linux core bug " was better identified.

Link to comment
Share on other sites

I am curious to know how the contact_us vulnerability would allow editing of an index.php file.

 

It wouldn't. If there was an injection or exploit attack that was effective against osC the installed base is big enough that someone would write a script to exploit it and we'd ALL see the results as users of php-nuke and Mambo have in the past.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

As I stated before in this tread. My feelings are simple. Hackers are about showing off and not getting in trouble. The benifit of hacking osc is minimum because no important information is stored such as credit card numbers.

 

The risk are high because it is an ecommerce system the banks, iso, merchant processors, and major credit card companies have recognized osc as a shopping system and hacking this could be construde as an attack on these larger companies to steal customers credit card information even though it is not stored.

 

These big company would come down on the hackers hard.

 

It would be ugly for them. This is why most hackers leave ecommerce system alone.

 

Benifits to the hack are low.

Risk are high.

Noone likes jail.

 

 

 

It wouldn't. If there was an injection or exploit attack that was effective against osC the installed base is big enough that someone would write a script to exploit it and we'd ALL see the results as users of php-nuke and Mambo have in the past.

 

Iggy

Link to comment
Share on other sites

As I stated before in this tread. My feelings are simple. Hackers are about showing off and not getting in trouble. The benifit of hacking osc is minimum because no important information is stored such as credit card numbers.

 

The risk are high because it is an ecommerce system the banks, iso, merchant processors, and major credit card companies have recognized osc as a shopping system and hacking this could be construde as an attack on these larger companies to steal customers credit card information even though it is not stored.

 

These big company would come down on the hackers hard.

 

It would be ugly for them. This is why most hackers leave ecommerce system alone.

 

Benifits to the hack are low.

Risk are high.

Noone likes jail.

 

I think you're attributing a bit too much forethought to the wily script kiddie or bot responsible for this. I suspect that if there's a flaw (regardless of the target) it will be exploited as, in reality, it's a low risk endeavor. That's my premise.

 

Look at the recent cPanel hacks or ye olde ms sql slammer worm as an example.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

I've had the same problem recently someone hacked my index.php (which I have restored) and my laguages/english/english.php (which I think i've restored).

 

I changed my catalog folder to another name to prevent this from happening again and password protected it. But now I cant see my front page because catalog no longer exists. My front page of the website says I have a problem with line 33 of the following script, which I think is in this part:

 

}

 

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFAULT);

?>

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html <?php echo HTML_PARAMS; ?>>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET;

?>">

<title><?php echo TITLE; ?></title>

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) .

DIR_WS_CATALOG; ?>">

<link rel="stylesheet" type="text/css" href="stylesheet.css">

</head>

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0"

leftmargin="0" rightmargin="0">

<!-- header //-->

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

 

can you guys see any problems with this?

Where should I put in the new name of my catalog folder?

 

All help very appreciated!

I've spent months on this and basically to have to start again now would be terrible!

Thank you, Kelly.

Link to comment
Share on other sites

can you guys see any problems with this?

Where should I put in the new name of my catalog folder?

 

If you change the catalog folder you have to change it in the configure.php file inside catalog/include/configure.php and the same goes for the admin folder.

FILENAME_DEFAULT is the index language file, if your not sure its restored you can just check it in the language folder.

Link to comment
Share on other sites

Thanks Dennis,

 

I wasnt sure its restored as I cant log into my hosts control panel at the moment for some strange reason - so I'm relying on him to check and tell me.

 

But I can upload my own files via ftp so I shall change the configure.php and upload the new one and see if it helps - thank you!!!!

 

Kel.

Link to comment
Share on other sites

I know of at least 10 osCommerce sites - all different versions, servers, operating systems, developers/progammers, owners (not ONE THING IN COMMON EXCEPT USING MS2.2 as a base) that have had ALL index files (index.php, index.html, index.phtml and even index.bak which both the catalog and admin) updated to insert text.

 

Regardless of the intent of the hackers and given Linux (happened on Windows too) and contact _us.php (most patched) weaknesses are not relevant in these cases there MUST be some flaw somewhere that is allowing this to happen.

 

Other people here need to have the courage to say "yes we were hacked too". Because it IS happening, it appear to be the SAME hack and the community has to deal with it regardless of whether this is specifically osCommerce or just php flaw.

 

The question is how can someone edit these index files apparently automatically via a script?

Link to comment
Share on other sites

I know of at least 10 osCommerce sites - all different versions, servers, operating systems, developers/progammers, owners (not ONE THING IN COMMON EXCEPT USING MS2.2 as a base) that have had ALL index files (index.php, index.html, index.phtml and even index.bak which both the catalog and admin) updated to insert text.

 

Regardless of the intent of the hackers and given Linux (happened on Windows too) and contact _us.php (most patched) weaknesses are not relevant in these cases there MUST be some flaw somewhere that is allowing this to happen.

 

Other people here need to have the courage to say "yes we were hacked too". Because it IS happening, it appear to be the SAME hack and the community has to deal with it regardless of whether this is specifically osCommerce or just php flaw.

 

The question is how can someone edit these index files apparently automatically via a script?

there many ways they can get in, like from a different account and then there is little you can do. Perhaps a contribution like the site monitor can help because it will notify you. At the same time your host should have full information about the problem and rectify the situation. I am sure if this happens and is the oscommerce code in fault they will point this out as they did with the contact-us form.

Link to comment
Share on other sites

there many ways they can get in, like from a different account and then there is little you can do. Perhaps a contribution like the site monitor can help because it will notify you. At the same time your host should have full information about the problem and rectify the situation. I am sure if this happens and is the oscommerce code in fault they will point this out as they did with the contact-us form.

 

Because osC has to have Register Globals on in it's stock install it can introduce vulnerabilities in other scripts if you're not careful (although osC seems to not have any flaws itself with RG = On).

 

So there are more than a few ways things can go bad.

 

A "loose" contribution may allow an exploit.

An additional program (phpBB, Joomla, Mambo, Nuke) may allow an exploit.

 

On the server side there are as many ways to set up a webserver as you have fingers and toes; more actually. Any misconfig that can be exploited probably will be (see Enigma's post above).

 

Anectdotally, I don't see osC get hacked much. Only once in fact and it was traceable to a weak admin login and the use of the file manager. So I'm pretty pleased with osC's record over the course of the last few years and I try to follow these hacked posts just to be diligent but they all ( really, all of them ) seem to be coming at osC from some vector other than a flaw in osC itself.

 

If you search them up here on the forums you'll find that not one of them can identify the vector used (well, there was one but that fellow was from a professional group and came with a proof of concept and it was dealt with in the next update).

 

I too would love to know the EXACT way this particular exploit was achieved but without the original users input (logs, configs etc) we'll probably never know for sure.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

I think what is being ignored is the fact these are completely unrelated sites on different servers on different hosting companies. None had third party add ons like forums. They are simply osCommerce sites with contributions added. I think the ONLY contribution they might have all had in common was the Ultimate SEO URLs but I would have to check that. I do know that one site that had it installed did not in fact have it turned on.

 

Apart from that I was wrong on about it also being Windows. Those people were on Windows and apparently moved to Linux hosting. So the other thing is common is LINUX. But again we talking multiple servers, multiple hosting companies, common HACK. So if someone knows of the LINUX issue mentioned above it would be great if they identified it exactly here.

 

And it is probably same HACK as angelkelly reported and probably the same HACK as a lot of people are suffering but not bothering to report.

Link to comment
Share on other sites

And it is probably same HACK as angelkelly reported and probably the same HACK as a lot of people are suffering but not bothering to report.

 

Then AngelKelly and the rest of the folks who have been hacked are going to have to get a lot more pro-active about providing the data required and coordinating with their respective hosts to suss out exactly how it happened otherwise we're all just blindly speculating.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Yes thanks. Really helpful.

 

I'd be more helpful if I could but without an idea how the hack was accomplished via logs there is NO WAY to know for sure.

 

You could setup a honeypot osC yourself on one of the affected hosts and see if you could gather that info.

 

For myself I haven't seen this whether by luck or design.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

It is like saying "tell us how you were hacked and we will tell you how you were hacked".

 

If someone knows of a LINUX vulnerability that could achieve this hack then please post it.

Link to comment
Share on other sites

what version of oscommerce these people were using? Was it palin osc, perhaps some fork? And what version? Template installed with outdated osc core? Keep in mind there are several exploits documented for the older osc core versions where someone can use, targeting stores with older code. And it's very easy to identify them especially for someone who knows the osc framework.

 

At the same time, some forks have plenty of vulnerabilities because of the way the admin end is protected. Instead of relying on the server they rely on some php script (multiple admin accounts or something and no host password protected directory).

 

- Servers with folders exposed using 777 access rights? (Because their images didn't work or something like that).

 

- Hosts who do not bother to upgrade the osc core and users who use their "auto-install" feature. It's more work to install it locally and ftp the files you see. Now you have the original ms2.2. (Check the 1064 posts and these are new users - people who installed osc recently, will give you a hint).

 

- Outdated templates which override the osc core with the older version. How many times you read "I installed a template but doesn't work". Multiply that by a big number of users who "successfully" downgraded their osc and now have potential security problems from know mysql XSS to say the least. (See mysql 5.x related questions like "unknown products_id" that gives you a hint and the posters swear they used the latest osc). They do install the latest osc and then they patch it with a template.....that uses outdated osc core. So here we are, at square one again.

 

- How many times you read "How to enable register globals" and the people prefer to setup the htaccess instead of installing the register globals module.

 

- And how can you tell if a store owner sub-contracts someone to do the job for him and install the osc. Time goes by they left a back-door open. Negligence? On purpose? Hard to tell.

 

Also you have a bunch of other variables which are not store/server related. Like viruses. Just one of them gets in the kernel, hooks the keyboard driver say, now they can monitor all the keystrokes. JScript/Active Scripting/Browser exploits, Try before you buy fake programs exploits? Email fishing techniques?

 

There are way too many parameters you need to take into account.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...