Site was hacked last night - need help please.

[Sparklies]

Last night it seems my site was hacked and a fake IRS site was loaded into my space :angry: (having read some of the other threads here it seems I'm not the only one), my hosts have now cleared away all the extra files and are saying that the only way this could have happened is either someone using my password (unlikely) or an insecure script.

 

Although I'm a programmer with many years expeience, I'm a total noob when it comes to php, js et al, so I would appreciate some pointers as to how I can check my scripts for security issues, and rectify them if there are any.

 

It does appear that 'they' were only camping in my space, so far I've not turned up any changes to my own site files.

[Guest]

Last night it seems my site was hacked and a fake IRS site was loaded into my space :angry: (having read some of the other threads here it seems I'm not the only one), my hosts have now cleared away all the extra files and are saying that the only way this could have happened is either someone using my password (unlikely) or an insecure script.

 

Although I'm a programmer with many years expeience, I'm a total noob when it comes to php, js et al, so I would appreciate some pointers as to how I can check my scripts for security issues, and rectify them if there are any.

 

It does appear that 'they' were only camping in my space, so far I've not turned up any changes to my own site files.

The first questions I would ask are, what version of osCommerce are you running and what mods have you installed? I would be suspicious of mods first. I would change my passwords and check file permissions. I would also force users to log in before being able to access any pages that allow user input (other than search, create account, and log in).

[Sparklies]

The first thing I did when I discovered the hack was to change my password.

 

I've been trying to find out what version I'm running, but (call me stupid if you like) I can't find where that information is shown.

 

The only mods I've installed since I first opened up shop, have all involved me adding in new bits of code, no complete file replacements or new files added. Generally one or two lines of code at most and nothing suspicious.

 

My file/folder permissions are all set to 644/755 as appropriate except the images and backups folders. Unfortuately it was the images folder that was hit.

 

Thanks for the suggestion about only allowing user input after login, I'll look into that today. I don't think there are many pages that allow input, just Contact and Review (and I think the review already needs a login, not sure).

[Guest]

The first thing I did when I discovered the hack was to change my password.

 

I've been trying to find out what version I'm running, but (call me stupid if you like) I can't find where that information is shown.

 

The only mods I've installed since I first opened up shop, have all involved me adding in new bits of code, no complete file replacements or new files added. Generally one or two lines of code at most and nothing suspicious.

 

My file/folder permissions are all set to 644/755 as appropriate except the images and backups folders. Unfortuately it was the images folder that was hit.

 

Thanks for the suggestion about only allowing user input after login, I'll look into that today. I don't think there are many pages that allow input, just Contact and Review (and I think the review already needs a login, not sure).

The next question would be, how much control do you have over server settings. If you have a VPS or dedicated server (or are on your own server), you can block file uploads (and open it up when you need to). I would also remove the reference to osCommerce on your catalog page to cut down on the Google hacking possibilities.

[Sparklies]

I'm on a shared server, so I can't do any of that. I can get rid of the osCommerce refs though. Thanks.

 

Have now found that I'm on osC 2.2ms2 so that's something :)

[Guest]

I'm on a shared server, so I can't do any of that. I can get rid of the osCommerce refs though. Thanks.

 

Have now found that I'm on osC 2.2ms2 so that's something :)

I would make sure all of the security updates have been done. There were some important updates in August of 2006. You could also take a look at the most recent release candidate (the current one is 2.2rc2a).

[Dennisra]

If you use "control panel" that would be the first suspect for password being stolen.

[Sparklies]

[Sparklies]

Sorry about that, I tried to put the code in a codebox, it obv didn't work :\

[♥Vger]

Well, at least I can confirm it's a hack. So no need to keep that file hanging around anywhere. However, part of the hack involved changing ownership (permissions) on the folders, so you need to check them all.

 

No folders should have permissions higher than 755, so if your images folder needs 777 then get your hosts to fix the problem.

 

If they provide cPanel then make sure they are using the very latest version.

 

Vger

[Sparklies]

Thanks for that Vger. I've found another similar file elsewhere and a whole slew of files that have had their ownership changed. My guy is on it and I've changed all the folder permissions to 755 now. We'll see what happens. They do use CPanel but it's definitely up to date.

 

None of which deals with my urges to perpetrate severe physical atrocities on the person responsible...

[ozEworks]

Your cpanel logs should be able to provide you with information about who loading that secure file you were talking about. if you cannot work it out and your support person cannot either I suggest you ask your hosting company security team to look at it. Give them the file path and approximate date range to check.

 

Don't forget to virus scan your PC.