Site Hacked for Phishing

[Guest]

G'day all

 

The other day, our site was hacked and files added to the images folder. Our ISP claims that the hackers got into the server via our OSC and then managed to infect 23 other sites.

 

The folder permissions are set to 744 and we included an index.html file in the folder. The files added were:

 

index.php

noimg.jpg

*mysqld.php

*/backups/config.php

 

and a folder named /client/

 

which includes the whole scam.

 

The thing is, the files above marked with the * and the /client/ directory were protected at a server level - with ftp access, we were unable to change the permissions, we were unable to delete the files and, in some cases, we were unable to open the files to read the contents. In the case of the noimg.jpg, we were able to open and read a page of unintelligible gibberish but there was actually no picture.

 

Now, as I said, the ISP says the whole thing was the fault of flaws in the OSC but have failed to supply us with the log of where the hack came in. I'm also concerned as the the ability of a hacker to:

 

1) place files in a 744;

2) change the permissions on the files to a root level which we have no ability to change;

 

We have the admin protected by .htaccess and that is, as far as we know, the only place that any upload is available to the outside world without getting ftp access.

 

I guess my question is, is all this possible or is our ISP jerking us around, looking for the easy solution to his server inadequacies?

 

Cheers

 

Grant

[Jack_mcs]

Your ISP sholdn't have anything to do with your site. They just provide the means to get to it. Your host is the one that would determine that. But, regardless, if a hacker can get to other sites through yours, then the server is not setup properly. If your host isn't willing to fix that problem you should change hosts right away since the same could happen to your site from others on the server, increasing your chances of being hacked.

 

Jack

[Guest]

Your ISP sholdn't have anything to do with your site. They just provide the means to get to it. Your host is the one that would determine that. But, regardless, if a hacker can get to other sites through yours, then the server is not setup properly. If your host isn't willing to fix that problem you should change hosts right away since the same could happen to your site from others on the server, increasing your chances of being hacked.

 

Jack

 

Thanks Jack,

I meant host and was pretty certain your answer was the one I was going to get.

 

In fact, we have a few sites on the same host and, after checking that none of our others was infected by this hack, we were informed by the host today that another had, in fact, been hit!

 

Will speak to my partner about removing the sites to a more secure server.

 

Cheers

 

Grant

[Guest]

Just had another from the host:

 

"Wrong. They can't get to other sites, only the sites with your shopping cart on it."

[Guest]

And another"

 

"Are they aware of a security hole which allows hackers into their software?" He says I should ask you all.

 

He continues, "The issue comes from the fact the shopping cart has a upload feature for the client to create products in the cart.

For a web script to be able to save the pictures of the product it needs a directory (and permissions) the web server user can save them to.

If there is a problem with the script, people can exploit it and use that area to save other things like this fake site. If you remove the perms then you can’t use the shopping cart correctly.

The best option is to correct the script so people can’t use it in the wrong way rather than a blanket removal of permissions."

 

Can this be so?

 

Our images folder is set to 744. Files within to 644. What else? We're currently implementing changes like:

 

- install the latest oscommerce updates

- password protect your admin (use complicated passwords that contain numbers and letters and both cases)

- turn off register globals (install register globals contribution)

- install the VVC contribution

- install the sitemonitor contribution

 

Is there any more.

[LBateman]

And another"

 

"Are they aware of a security hole which allows hackers into their software?" He says I should ask you all.

 

He continues, "The issue comes from the fact the shopping cart has a upload feature for the client to create products in the cart.

For a web script to be able to save the pictures of the product it needs a directory (and permissions) the web server user can save them to.

If there is a problem with the script, people can exploit it and use that area to save other things like this fake site. If you remove the perms then you can’t use the shopping cart correctly.

The best option is to correct the script so people can’t use it in the wrong way rather than a blanket removal of permissions."

 

Can this be so?

 

Our images folder is set to 744. Files within to 644. What else? We're currently implementing changes like:

 

- install the latest oscommerce updates

- password protect your admin (use complicated passwords that contain numbers and letters and both cases)

- turn off register globals (install register globals contribution)

- install the VVC contribution

- install the sitemonitor contribution

 

Is there any more.

 

I'd be very surprised if this was true as why would your site be the only commerce's site to be hit :-/ Who is your host?

[maxxxie]

He continues, "The issue comes from the fact the shopping cart has a upload feature for the client to create products in the cart.

 

I'm pretty sure this functionality doesn't come with stock osC. Maybe you've installed this contribution, or one like it: http://addons.oscommerce.com/info/2890

 

There may be a vulnerability with one of the contributions you've added rather than the osC code itself. I know this doesn't get you closer to an answer immediately, but might give you some ideas about where to look to troubleshoot this.

 

Cheers,

Max

[Jack_mcs]

And another"

 

"Are they aware of a security hole which allows hackers into their software?" He says I should ask you all.

 

He continues, "The issue comes from the fact the shopping cart has a upload feature for the client to create products in the cart.

For a web script to be able to save the pictures of the product it needs a directory (and permissions) the web server user can save them to.

If there is a problem with the script, people can exploit it and use that area to save other things like this fake site. If you remove the perms then you can’t use the shopping cart correctly.

The best option is to correct the script so people can’t use it in the wrong way rather than a blanket removal of permissions."

 

Can this be so?

 

Our images folder is set to 744. Files within to 644. What else? We're currently implementing changes like:

 

- install the latest oscommerce updates

- password protect your admin (use complicated passwords that contain numbers and letters and both cases)

- turn off register globals (install register globals contribution)

- install the VVC contribution

- install the sitemonitor contribution

 

Is there any more.

I agree with your host that your shop may have some security problems. However, if the server is setup correctly, anyone getting into your shop should not be able to see other accounts on the server. I could setup a shop on one of our servers and post access to it here. Anyone savvy enough could get into that shop and change all sorts of things. But they would not be able to get to any of the other sites on the server. If that were the case, there would be dozens of posts here daily asking how to prevent it. Yours is the first I've ever seen on the subject that I can recall. Your host says no one can get into your account because they are not oscommerce shops. What happens if a new account is added tomorrow that is oscommerce? So my original suggestions still holds: your host either needs to fix the problem or you should look for a host that knows how to setup a server.

 

Jack

[gray_case]

I agree with your host that your shop may have some security problems. However, if the server is setup correctly, anyone getting into your shop should not be able to see other accounts on the server. I could setup a shop on one of our servers and post access to it here. Anyone savvy enough could get into that shop and change all sorts of things. But they would not be able to get to any of the other sites on the server. If that were the case, there would be dozens of posts here daily asking how to prevent it. Yours is the first I've ever seen on the subject that I can recall. Your host says no one can get into your account because they are not oscommerce shops. What happens if a new account is added tomorrow that is oscommerce? So my original suggestions still holds: your host either needs to fix the problem or you should look for a host that knows how to setup a server.

 

Jack

 

Im with onlinehosters they seem to be secure never had any issues with them

 

cheers

[Jan Zonjee]

"Are they aware of a security hole which allows hackers into their software?" He says I should ask you all.

 

He continues, "The issue comes from the fact the shopping cart has a upload feature for the client to create products in the cart.

For a web script to be able to save the pictures of the product it needs a directory (and permissions) the web server user can save them to.

If there is a problem with the script, people can exploit it and use that area to save other things like this fake site. If you remove the perms then you can’t use the shopping cart correctly.

The best option is to correct the script so people can’t use it in the wrong way rather than a blanket removal of permissions."

 

Can this be so?

If that contribution uses the upload class that is normally only used in the admin then that could very well be. By default (in the admin) the code does not tell what extensions the images (like jpg, jpeg, tif, tiff, png, gif) can have. Everything is allowed:

  class upload {
var $file, $filename, $destination, $permissions, $extensions, $tmp_filename, $message_location;

function upload($file = '', $destination = '', $permissions = '777', $extensions = '') {

In the admin the code does not set those extensions (categories.php around lline 81):

		$categories_image->$categories_image = new upload('categories_image');
	$categories_image->set_destination(DIR_FS_CATALOG_IMAGES);

	if ($categories_image->parse() && $categories_image->save()) {

I guess this should work to avoid scripts getting uploaded (at least with a "working" extension). The example code I suggest uses the code in admin!

$valid_extensions = array("jpg", "jpeg", "gif", "png", "tiff", "tif"); // add whatever else you need
	$categories_image = new upload('categories_image');
	$categories_image->set_destination(DIR_FS_CATALOG_IMAGES);
	$categories_image->set_extensions($valid_extensions);
	$categories_image->set_permissions(744);

	if ($categories_image->parse() && $categories_image->save()) {

[Guest]

Thanks to all. I'm still firmly of the opinion that the host / server is at fault. One of the reasons we chose this shopping cart is the lack of posts regarding hacking attempts and how weak they were when they did occur.

 

As to the upload, this is the weird one: we only use the upload in the admin, which is protected, firstly, by htaccess and, secondly, by a password protected login. There is no other upload! And, how can they then upload a file with root permissions which we, as 'owners' can't delete?

 

I shall add the valid extensions script from Jan (thanks again) and, at least, that should cover the php files being uploaded via that feature.

 

Cheers

 

Grant

[Guest]

jan, i have a question about your security fix. i do not have these lines in categories.php, which i suspect is because i use the image deletion contribution.

 

how can i make use of this code?

 

my image upload looks like this:

		$products_image->set_destination(DIR_FS_CATALOG_IMAGES.$addon);
	if ($products_image->parse() && $products_image->save()) {
	   $products_image_name = $addon . $products_image->filename;
	} else {
	  $products_image_name = (isset($HTTP_POST_VARS['products_previous_image']) ? $HTTP_POST_VARS['products_previous_image'] : '');
	}
	}
	break;
// BOF MaxiDVD: Modified For unlink_image

[Guest]

tested & working! (on a heavily modded live shop)

 

ONLY WORKS for shops using maxidvd's image delete contribution. anyone using a non-modded image upload on the oscommerce admin should use Jan Zonjee's code, posted above.

 

 

simply REPLACE:

		$products_image->set_destination(DIR_FS_CATALOG_IMAGES.$addon);
	if ($products_image->parse() && $products_image->save()) {
	   $products_image_name = $addon . $products_image->filename;
	} else {
	  $products_image_name = (isset($HTTP_POST_VARS['products_previous_image']) ? $HTTP_POST_VARS['products_previous_image'] : '');
	}
	}
	break;
// BOF MaxiDVD: Modified For unlink_image

 

 

 

 

with:

$valid_extensions = array("jpg", "jpeg", "gif"); // add whatever else you need
	$products_image->set_destination(DIR_FS_CATALOG_IMAGES.$addon);

$products_image->set_extensions($valid_extensions);
$products_image->set_permissions(744);
	if ($products_image->parse() && $products_image->save()) {
	   $products_image_name = $addon . $products_image->filename;
	} else {
	  $products_image_name = (isset($HTTP_POST_VARS['products_previous_image']) ? $HTTP_POST_VARS['products_previous_image'] : '');
	}
	}
	break;
// BOF MaxiDVD: Modified For unlink_image

 

BEFORE adding this: i could upload a .php or whatever to my shop and it would appear in /images

AFTER: i can "upload", but the file is not recorded to the /images folder and the remaining product page looks like poo, but that doesn't matter.. because anyone uploading anything other than an image through this field isn't worried about selling your products :)

 

thanks for the post jan!