Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site Hacked Warning


Trimast

Recommended Posts

Hi All,

 

Where to start!

 

I've a client that uses the protx form payment method and have been doing so for 12 months. I had a call from them this morning, saying one of their customers had entered their credit card details into the payment form on the site and then been redirected to protx.

 

On investigation i've found that somehow (not quite sure yet still investigating) the protx form has been changed to take credit card details on the site in a totally unsecure way, then send the customer to protx for further payment.

 

Upon further investigation, i've found a number of files have appeared on the server within the catalog/images folder:

 

cvv.html

yzx.txt

two image files for mastercard and amex

 

Additionally, the following files within catalog/ have all been modified:

 

index.php

create_account.php

login.php

tell_a_friend.php

 

Each modified file contains the following:

 

// da edit xong

 

The login file contains this code at line 26:

 

$password123 = $password;

session_unregister("password123");

session_register("password123");

// da edit xong

 

Create account Contains around line 55:

 

$password123 = $password;

session_unregister("password123");

session_register("password123");

// da edit xong

 

The index file contains:

 

$td_query = tep_db_query("UPDATE `configuration` SET `configuration_value` = 'true' where `configuration_key` = 'ACCOUNT_DOB'");

 

at the bottom of the file.

 

Tell a Friend

 

The Tell a Friend file however is of most concern as this file has been modified to allow the hacker to upload other modified files.

 

My belief is that the tell a friend file was the first to be modified and then the hackers use this file to do their work, via uploading the other files.

 

--

 

As far as i can ascertain no other files have been modified / hacked.

 

If this is new to the community then everybody needs to be aware as these people must know their way around OSC and which files to exploit.

 

My entire internal network is now undergoing a major security sweep to establish whether they got access via a malware application on one of our systems. We are also speaking with the hosting company to establish whether there have been any security breaches on the server.

 

If anybody has experienced this before an knows if their is a security breach or "hole" within OSC then if they could let me know so i can close it all up.

 

As soon, as i've established how the changes to the protx form have been made i'll update this post, incase somebody else is unfortunate enough to experience the same thing.

 

Regards,

 

Rob

Link to comment
Share on other sites

Hi All,

 

Just to post an update:

 

After spending the past few hours going through each file, i've manged to find out that the hackers have also modified the catalog/checkout_confirmation.php page in a major way.

 

They are basically now running a db query that extracts the customers details ie name, address, email, post code, date of birth etc combining this with the posted credit card details and then emailing these to a gmail address.

 

I've still not been able to establish how they are able to add the Credit Card Details form into the Payment Page, however i've now deleted the entire shopping cart and will be re-installing the shop in due course.

 

if anybody has any ideas as to how they've managed to do this and even more importantly a security fix i'd be delighted to know.

 

Regards,

 

Rob

Link to comment
Share on other sites

I checked mine out and did not find this. I had some odd hacks earlier that looked like banking phishing scams. The hackers had somehow loaded fake bank websites and was directing them to my server to phish for account logins. I ended up reporting it to the server folks and then changing my passwords and deleting the fake sites.

 

I am now dealing with a new one and can't figure out if this is a hack or robots or what but my FTP login keeps getting blocked from the server for security reasons and I noticed the event logs are filling up with hits like the following (hundreds of them):

[Wed Oct 10 06:02:29 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//golden-vicary-privet.html

[Wed Oct 10 05:59:47 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//unlock-lg-cell-phone.html

 

As you can see they go to the osC webstore/images dir and start hitting it looking for something - what does the // do in the middle of the link?

Link to comment
Share on other sites

I found that admin directory had the password protection disabled. I enabled it again also after changing the passwords again and found that the errors in the logs changed soon after.... hmmmm looks like hackers to me...

[Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/corner_right.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69

[Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/corner_left.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69

[Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/arrow_right.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69

[Thu Oct 11 01:07:51 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//quinceanos.html

[Thu Oct 11 01:02:46 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//chery-pie.html

[Thu Oct 11 00:57:43 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//kone-west.html

Link to comment
Share on other sites

Hi dougm,

 

My reading of what you have indicated is that google was / is actually spidering these hacker pages and if you've removed them then they can no longer be found or the // is sending them to a directory that does not exist - but this normally ignores the second / so image//infobox/image.gif would be the same as images/infobox/images.gif.

 

Normally the // indicates that there is a missing directory between the two //, that is the only time i've ever encountered it and that is normally during the debugging of a script i've written, but it normally only affects things when you are using the full path and not a url.

 

I'd check all of the files that you've mentioned, and the two directories to check for any files that do not look right - download them to a new folder and then open them up in what ever web development software you use and check them, then delete them if they've been compromised and replace them with your original files (check them too first for compromise).

 

More importantly have you established how they got in in the first place?

 

Rob

Link to comment
Share on other sites

Hi dougm,

 

My reading of what you have indicated is that google was / is actually spidering these hacker pages and if you've removed them then they can no longer be found or the // is sending them to a directory that does not exist - but this normally ignores the second / so image//infobox/image.gif would be the same as images/infobox/images.gif.

 

Normally the // indicates that there is a missing directory between the two //, that is the only time i've ever encountered it and that is normally during the debugging of a script i've written, but it normally only affects things when you are using the full path and not a url.

 

I'd check all of the files that you've mentioned, and the two directories to check for any files that do not look right - download them to a new folder and then open them up in what ever web development software you use and check them, then delete them if they've been compromised and replace them with your original files (check them too first for compromise).

 

More importantly have you established how they got in in the first place?

 

Rob

 

 

Do either of you have access to the web server logs them selves? That might help lead you to the source of the intrusion. Depending on the level of logging configured you might be able to even get a hit at where the attacker came from.

 

- Jim

Link to comment
Share on other sites

Hi All,

 

Just to post an update:

 

After spending the past few hours going through each file, i've manged to find out that the hackers have also modified the catalog/checkout_confirmation.php page in a major way.

 

They are basically now running a db query that extracts the customers details ie name, address, email, post code, date of birth etc combining this with the posted credit card details and then emailing these to a gmail address.

 

I've still not been able to establish how they are able to add the Credit Card Details form into the Payment Page, however i've now deleted the entire shopping cart and will be re-installing the shop in due course.

 

if anybody has any ideas as to how they've managed to do this and even more importantly a security fix i'd be delighted to know.

 

Regards,

 

Rob

 

 

That's one of the main reasons we don't even collect that data, let alone store it. We leave that to our third party payment solution provider - let them take the risk!

* * * * * * * * * * * * * * * * * * * * *

Porpoises are most happy when wet!

\ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _

Link to comment
Share on other sites

My server log files are changed every 24 hours so i've not been able to use those unfortunately - they were the first things i asked for though, but no joy.

 

As for storing CC details if we do then we only store 8 digits randomly selected as per a sequence agreed with the client and then encrytped using a random key only know to the client - not even i know what the key is, the other 8 digits are then emailed as a block and the customer then matches them up as per the agreed sequence.

 

It does work well, as you need to know the exact sequence code and the random key, but where possible i prefer to send payments to a protx or worldpay that way i don't have to worry about these things too much!!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...