Hacked webshop

[whereangelsfall]

Hi!

 

Our webshop was hacked the other day, and now looks like this: http://shop.whereangelsfall.com/shop/

 

Does anybody know if we'll have to set up everything all over again? I've managed to forget how to log onto the admin area since I had the link favourited on another computer. *grin* :-"

 

Also.. this was a first timer. Does anybody have any tips as to how this might've happen and how to prevent it in the future?

 

Hope somebody is able to help! :)

[germ]

Your admin is here:

 

http://shop.whereangelsfall.com/shop/admin

 

If you had the latest version of osC and "permissions" set correctly (folder = 755 files = 644) this isn't supposed to be possible.

 

It's also possible this wasn't your fault, but an exploit in the server itself.

 

If you can find the code modifications, you may not have to start over.

 

How about comparing source files with your most recent backup?

:unsure:

[whereangelsfall]

Your admin is here:

 

http://shop.whereangelsfall.com/shop/admin

 

If you had the latest version of osC and "permissions" set correctly (folder = 755 files = 644) this isn't supposed to be possible.

 

It's also possible this wasn't your fault, but an exploit in the server itself.

 

If you can find the code modifications, you may not have to start over.

 

How about comparing source files with your most recent backup?

:unsure:

 

Thanks for linking the admin area. I feel kind of silly not to know that even. ;)

 

As for the latest version and permissions... I'm pretty sure the permissions were set correctly, but I most probably don't have the latest version installed.

 

Would the code modifications I'm looking for be in the index file? Backup isn't my strongest side, so in some ways I probably needed this to learn. heh..

 

 

Thanks again for the reply!

 

EDIT: Ok. I just logged in to the admin area. *cough* It looks exactly the same. These guys really did their job. ;)

[germ]

The most obvious place to start is your /shop/index.php file.

 

There may also be changes in the DB and other source files as well.

 

Another source of hacking can be vulnerabilities in any mod's you installed.

[germ]

If you Google this: Hacked By SLFAR & Cyber_Error you come up with a list, and most of them have nothing to do with osCommerce.

 

That implies a server vulnerabilty in my book, and not a "shortfall" in osC code.

[whereangelsfall]

If you Google this: Hacked By SLFAR & Cyber_Error you come up with a list, and most of them have nothing to do with osCommerce.

 

That implies a server vulnerabilty in my book, and not a "shortfall" in osC code.

 

Hm.. So you're saying it's the server itself which have been hacked, and there's nothing really I can do to fix it then?

 

That would probably explain why the admin area looks the same too I suppose?

[germ]

All I'm saying is that IF it's a server problem, "fixing" your website may not do any good, 'cuz it could happen again.

 

Of course, the people that run the server will probably tell you it's an osC problem just to cover their backsides.

 

I'm really not sleuth enough to tell you how to prove one way or the other.

 

The first place would be to see what's in the server log for your site.

 

That will tell you who's been into what, and when.

[whereangelsfall]

All I'm saying is that IF it's a server problem, "fixing" your website may not do any good, 'cuz it could happen again.

 

Of course, the people that run the server will probably tell you it's an osC problem just to cover their backsides.

 

I'm really not sleuth enough to tell you how to prove one way or the other.

 

The first place would be to see what's in the server log for your site.

 

That will tell you who's been into what, and when.

 

Hmm.. I think I fell off somewhere here. Not sure how to access the server log. :-"

And I think the main website and the webshop are run on two different servers for some reason.

[germ]

Some web hosts give you access to a "shmancy-fancy" interface to see what's in your server log.

 

Some may require you to find your own way in. There are free server log viewing programs you can install.

 

All that's in the log is a record of what files were accessed and what time and from what IP address.

 

You may (or may not) be able to find out "how and when" they got in.

 

It would be a huge help if you knew approximately what time ("time" being the exact day) it was hacked.

 

That would just enable you to concentrate on a much narrower part of your server log.

[Desertsky]

There have been a large bunch of server hacks where all index.XXX files are changed. I had it happen to my sites. Many times, the hacks just try to add online viagra sites but they are so poorly executed that they don't work but report virus or trojan notices to your customers.

 

The easiest way to fix it is to just go in and delete the current index files and replace them with known good ones. Then, scream at your hosting service to fix the server vulnerabilities! They know what they are!

[web-project]

It's also possible this wasn't your fault, but an exploit in the server itself.

true, as on the normal server usually installed firewall to protect the websites & server it self against hackers attacks.

[whereangelsfall]

Thanks for all the help and replies to this!

 

I noticed that our Gallery section is the same way. The gallery and webshop is on a separate server from the rest of the website, so I suppose it's something that's happened on that server. :)

[EagerBeginner&Photo.]

I just found out from this forum http://www.ozzu.com/hosting-forum/hosting-...rce-t45717.html that oscommerce has vulnerabilities because of register_globals

 

...here "Register globals are a "directive" within php. The world is moving away from register globals - if they arent used properly, they can create vulnerabilities...

As of php 4.2.0, register globals is off by default in php - previously, they were on by default. Alot of applications still rely on register globals and as such, we are in a bit of a transition period. Some hosts choose to have them off, however, the majority are keeping them on for now - simply because alot of the more common apps still require them (ie osCommerce) You can read more about this here: http://ca3.php.net/register_globals

Andrew - http://www.cartikahosting.com "

 

So how can one use osCommerce and be protected?

[spooks]

I just found out from this forum http://www.ozzu.com/hosting-forum/hosting-...rce-t45717.html that oscommerce has vulnerabilities because of register_globals

 

...here "Register globals are a "directive" within php. The world is moving away from register globals - if they arent used properly, they can create vulnerabilities...

As of php 4.2.0, register globals is off by default in php - previously, they were on by default. Alot of applications still rely on register globals and as such, we are in a bit of a transition period. Some hosts choose to have them off, however, the majority are keeping them on for now - simply because alot of the more common apps still require them (ie osCommerce) You can read more about this here: http://ca3.php.net/register_globals

Andrew - http://www.cartikahosting.com "

 

So how can one use osCommerce and be protected?

 

 

REPEATING OURSELFS ARE'NT WE!!

 

osC has been compatible with register globals off for some time. You`ve just joined should'nt you check things out first!!